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ABSTRACT OP THESIS 
AUTOMATED SYSTEM ENDPOINT HEALTH EVALUATION 
USING THE NATIONAL VULNERABILITY DATABASE (NVD) 

A mean* n; r.Vik,- s.e.i.ir. i.l. h- ■ r.l" .'i\. coiipu:,-^ ;^ to manage 
.vhieli eoinputeis ean paneipale .11: ;i iiel.'.o-k. a:i.l mr.lrol Mil pan ki pal 1011 of 
systems thai do mil anil'mm 10 the security jinlicy Requiring systems li> 
;:l::i":is;-:;L^ .Ik ::- l . uii:v i.ri^ .■ 1:1 tic pe!k\ 1.1:1 '.iiiiil L 1 1 ■_■ :i-k "I allowing 111 
compiling s.sicuis access 10 misled networks. 

One aspcci ol delcrinuiiii[: the nsk a system ri/incsciiLs i- putdi-li ■•el. a 
comparison between ilui a' ai lain Iks ol vendoi scL-uiky paiclirs ami Iheir 
application nn ;i sysuim. A fully .ip.i.in;l sysk'in has nl ::^nl:i':.lLi pakji.'s npph.xi. 
(Ismst pinch level .is ;i s. c.i 1]. |i. 11,1 I k- . sj. sloms c:ni c.alnak .is compliant, 
yet may Mil] contain known vulnerabilities, rep rcscnliiig real risks of exploitation. 

pablic vulnerability reports tomained in the National Vulnerability Database 
:N"VD). Tills appKK-cli 1.1a; pfd'ace li intae accurate assessment nf system lisk 
tin several reasons icltidine r.ani:' inv :be di:las vailed by vendor patch 




platforms oiner than those of Open Source origin. 

This alternative mclinod. ivhich compares sislcm software compiinenls to 
lists ol known sofm nic ' alrci abilities. :nt st ict.nMs m-ika s\s\ni: components 10 



Ill [he process 01" this analysis. significant issues arose within Hie NVD 
pertaining In liiE i'.-l^.t I ■■! of Open Si-uin- • iilnciiihil ly informal ion. Direct 
mulching is mil possible nsias' Mil' cnnvnl information ir, Mil' NVD. Furthermore, 
these issues suppuil iIil' hclicf thai :hc NVD is no! an uivurulc ilala source lor 
I" - ralai i -- 1 . - - : i " com ■ : 1 1- i -.. na between closed and open source software. 
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1. Introduction 



Access Control iCNACj 1 ". Open V.iLr.crnlii Ijly anil Assessment Language 
(OVAL)' 1 ', Information Security Automation Program (ISAP| ra , the Security 
Content AuLomalioa Piearam iSCAP and hdnde standards organi/alions like 
Ihe Trusted Network Conned (TXCl Work Group'" 11 , and the IETF's Metwurk 

The inlciit of ;i lieallli f tilntitio-i k lo ^■hi:i:iiL- it sy-i.ai^ iliat attach to a trusted 

r.'.i'Mil. cmph -A III ll-.- I . ■ I -.M : I k. ■.. . mi |- , ;:;ih... I.. I..I,- ■. ^\ .1. || iviav.is i:£lll- 
Ii; pri il iu ipjf.1i: on Mil iii k'y.iL In. : r.i:-:-.li:'i ■: h. ;i ih ■. :iln. ■. ■.-.-.ii involve queries of 
Lhc system patch slate, system nchmik li-ealion it physical locution, tlie slate of a 
.system iirewal] am] syslcm vims pmlcelioti. anil nay include other aspects 
depending upon the security policy requirement. 

A Lea eiivrenL • .ficyahil.u • depead.al n::.u: j ^ I -. . . 1 1 p 1 1 - p .l.teal 
environment. To evj.i.ip po|' . :uir:'i.ri-e. iip-lo-o.ile system health 
i-|"0-mat : Oii :s rnvvri I: folio.'- thai III. 1 -.'.'.no pi:'i.;. --Ill 1 1. 1 1 ■_! -iipLikl.. 1 il 
cheek to verify tiuil a '• j.-ii la- eii-i. iil . |i:il.::i.-- ;ip;':ii'tl. the tk'aii'i' to 



in Irasleii networks Ivcanse I lie iy.k-n ci nlahsall availahlc updates. 



2 



source for vulnerabillli.s. coiiiiccli.ii' fia.rmatioa i'mni various sources and 
consolidating synonymous security issues to a single identifying Common 
Vulncrabi lilies and Exposures fCVE) number. 

The NVD represents two factors [hat ait important lo this work: II is a 

•.■L.--.Y il • .llXlill'il 1' i I' I'll... 'II i l.l.|"- I . ■ ■ ' I ' I 'I .. • lid. 1 VfALIK- '.■|lI. , I . ..I.I 

pi...idc c.iih upda.vs r -i iri^----^.-Li^l^Lh^"^- lonial ll.il r.Li'ila:i:s nil iv^ 

analysis. This work Ml. rlill'^ ill,' in pi;il;irl;:.: of Limine 'Villli'i-iiHlL-pei ideal 

. lilneiiibihly infiirinnlieii for h.tihh chec!..:!!;:. :ni[l il i^.ivi-rs several critical 
limitations of the NVD for Iliis type of analysis. 

la spile of these .ira.lalinr.s. If.is died- (this 11,11k will show il is 11 fallacy 
10 assume a fully up In dale system is diealdiy ". This fallacy is apparent by the 
presence of vuliicr^-ulies 1 :.- | -■ . 1 1 -■ I i -. I : ■_- i. I in i.f.c Wl'i '.'ilhai "health 1 ." svstcins. 
Tlicrcfurc. incasin ini: a s' -lem 's f.ea'.lh status usa-.a .1 '. cudoi's stitch information 
docs not produce rcsaiu lis ■ pi. as 1. due \\ t) iiil'oriiiatioil. 



1.1 Probkin Stiik-1iH-r.1l 

[5 L possible lo usi tvendoi ndt s i de n ■. 1 I terab ity data source sucb as 
the NVD to detect vulnerabilities within currently "up-to-date" systems? Will 
information obtained from die Wl) produce results dial arc the same as those 
obtained by using vendor proi ided snl'iii arc npd.ue appraisals ' In other words, if 
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il '.cnLiol s soihwiie update ulilu -■■lm-'I- a p.in:li -V.,- 1 lis ■up-io-dalc' ; h 

i- possible 10 deinoiisli;ik llni; :M.-il- .ii,' iti-.-paiclied ■. .l'iun;ibililiL's in llu- sysliTis. 

as vulnerability-free? 

Furthermore, since nil' mlncrah:li:y in!oi-m;ilio:i :il Ihc NVD is slorcd in 
machine -readable formal, is il pussihlc Lo automate Lliis process? Will Ihc 
i:i:'ornin!:o[i enmaincd in L 1 1 Wi • nc sail i.icir. lo in.!.. 1 li enniplclc analysis ol 11 

system? 

1.2 Expectations 

I'll.' I'.'O .Irl.'ll- II IV. M I- I.' . Ml I..:!.- .• :\i I I./ I.I .1.1 .: ■..■hi.. I • lip.LlV 

system, or by a comparison to the NVD should produce different resulls for 
several reasons. 

independent liiini iiil'om^.li.n: d:-e.o-c.l .1: -uhfe ■. .i.i:c.:ihil:l\ icpn si lories such 
as the NVD. This is due 10 .levelupiiienl mienl-.. 1 - .uid sefodulc le'jiiiieiiienls. 
whidi drj ucccssaf.K SMiehi'mve •'i:h llie release 111' a CVL entry by the 
NVD. Si'voinl. -oil.'.;!-. 1 1 encor- -inn obnir -:ii iv. : 1 1 ■ iilno.abilih iriioiiinllion !'? 
different means than does [he NVD. 

1 1 li- discover' ...I :i ■. .1 l.i;ihiln\ :ll • 1 : 1 ■■: 11 : 1, Ii;im •■.ill r Ilk' V. idol 
process, in by iiidepeiHl.nl discovery. Venil.r iiciiiicali.in of 11 discoveiy may 
oeenr hy lite diseieel :ncaro e:' responsible disclosure. n:iy t'irsl nppear as a bill' 



iil.vnlory dniv 1\. die -i- 1| ■ i -.u- -..I s. -vii- v-. l- .. nil 111,' \VL>. and Ilia! oi 

:m inventory dune ■ i ■ ,. i ,.- ... -i.-i i .:■ :.. ;m. .1 1.. ■■ . nl.,i update villus. Ii 

is reasonable 10 expccl lh:il (/' soil wan: dcvclnpcrs and public vulnerability 
databases bad peri'ccl knniljir. die lm evaluations would be tlie same. Vet we 
would also cipect thill jnia term analysis slmtild produce fewer differences 
LissumiiiL die loll'.".. :\:?: Vene.o:-- h.;-. fie :i:!ealii:n :u keep security ll;i.vs 

•nr. o:' |ini,:u--li"-| :.iilI ;.: lis Lias.: Ilia'. -11:1'. :ip::eur. In uddili.'-|. ■ tilnerabdivc. 
identified .'1111111 tbe \V[) ;ue ..uIiliuI i-i .Jill .endov ueeepl llirnl. If dies.: 
;l--linl |:tii:n- II Ill.'-I .■'.■i KUlll. ■ id..: - ■■■ II 1 1. ;i ' 1 u I:.: sealniL. 11:1.. v 

I i:l.iitll:l;ltely. a.rl.'el Ml..'.. I,.i:l.- ■- l:i|-.\! I isac. :". 11 L I -]. -I. ill n.im.n sir alius 
c.ui ..illy I'..::. 1 dies.- .1 1: 1 l i.-riiv-- are :iiiii.:i nn.i .... rot ,eprc-eiil :i si.uiifcan: 



eliminate if.e lulse sense .::' sceuriL. |':vst.i:ied :■ ..■i:d.:r updu'.e ehce.. Til-.- 
fallacy lies 4-1111111 cetnpariue die s.stem s:u:e ..ilb inftiruaLion |'i'..ided by tlie 
• eink'r :il li e s-,i.i,: s v s: , ■ 1 1 ■ . Tin- . lie. '. lefes li|'.'-| iiiee.l.Kiii. a.Ju I:. 111:1 
irlellidill'J . ulrUT;l:ulo .l.lln l.'jr.l .".ilsi Jc d le • e:iLllii - de. elojincilt stream. Tins 
•viipe:ll:,ir l.le.s :l :. i|-||i:li i-,'|- I.. pl.Mch .1.....1I '. 1 .1 1.1 .! ' :' r le- dl:ll ivpr. s. II 
Ihreats 10 I) ftdly palclied system. 

'Up-to-date" svs:cn'. slams confuses die Irnc vulnerability status of 11 
system; the diffeiente bchj between lin. ine af a. adaole vendor palcbrs applied. 
:.r.l ... r. I. . i : 1 ! 1 : ._■ ■ .1 :ie .-...i hie-.: -Leiu 1.1:1 lv bulh 
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2. Background 



risks of Internet use arises lioni lii; ease of e-.ilne.-ariil.lv esrjlnilalitm across Ihesc 
same iiilcreLinueLtcd systems. 

systems 'villi siii.li • iiiiieriihi lilies li: u net'.' :u'-. e\|vse- l.ieiu In 1 lie risk ol attack. 
Given isolation. euni]Miler sislcr.is are iin::eri ion- In leniiile nllj'k: obviously, 
t'l - s;illir:..ii !• iii:1 !■ :. lii :.l ; I- | u ; i. ilk i j I el ! . ic,^ I Iil'i el I :i e. 

seclliilly dephl villa il v. -Lair I I .u I. I- a :'ie.r,:l line la lllii Ollpoiilp 

appearance reirhile rerahililiis ivi:eh rep:vsL ill an nmininr: threat to Ihese 



■iihjk sesmils cliiirs aaeniiil 1" aikipl i.| .lick h . there a:v nh'ii.s ne.v ilirca.s 
me pre' iiiiisiy unknown. 

CoiiBeque .n- i. is a process manage i-k I nderstaridirig Ihe 

' ial.il IK . . ■ a -, -lenl :- ee:e ■,: u i;i.a-i ill l.e !-l. a -■■ -l.all Kiel's. In this 

iner. □nderstandiDj be isks of individi I systems is core to UDderstoDdinj the 



Oflen a seethe perimeter i iiu-nds In protect svs[r.'in& iroiu lht^j 

l.llLl.'lL'llllirlr.l risks. -J. i .1 I "I . ■ I ML l.i ..'I'l :l. lK ■.Neil Cl>mplY With Ll 

Recently, trail ilir.ial -.vi.r I;, vi.nhn,, hnvu hrgmi to dissolve. Systems 
can no longer depend imnr. I lie ariHccliiir. of :i firewall. Simply shielding a single 
gateway to [he Inlet:!. 1 ! :- no heifer clfcclivc due the increase in mobile 
computing and wireless access. The location ol a compiacr uiiiv change Inim 
being inside [0 lining "inside "I Lie pvolcelco peril relet. The systems residing 
Willi in tin' firew all pi- ii i in-, .-i .:.ii no I.-ic.t ic ', iipun the saiely of J sanili/eil 

Inhanel. I his l- dllc 1,' die iM. <r s.s:,al^ I: ;. p • • I ic p, I nlcler .'. al Is such as 

s. tlcai- rem mine :"ruin dn: w ihi' and veiling systems. 

V-lwnrk per. m, :, -is :i;iy,- la; rid,- of lillennp whal is sa:'c and whal is not. 
However, a firewall ennr.oi reduce risk when an attack originates from a 
compromised system williir, Ihe Hasted per uncle- Because a secure perimeter is a 



iresent risk to other 
dcuis tvicause tticw are snscc:ai':dc 1" csploiialinri il Ilk. sneeunib 10 their 
h:,-rahil 1>. Hi, 1 : -an dual p-...iLl.' a platl'i'iir a' .inaek other systems. All 
■vnlia mifiods I,' i-i hii.:i,- la.- i-l. I ■-. i w i:li ilv id, iilifc.:li;ir ■..! ' id icrah .■ 
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2.1 Scope of this work 

Ilk' ",-j.t I- j ..I :. -■ . I " I 1 " i I v. Ir.v.i: :■ ■L-/I- . -III :!..■ Ll-LJ..'1-iil^ ..I' 

the vulnerability. Th'' disco'ery m:i\ 01 niiiy i:or a^pr-^i" publicly, however ihi> 
Ihesis i.> concerned I'tily wnh :,ivmi ihhi.r.iiLin,-. iri;iri:;;;m^ risk pow.il by 
pnhlically mrVmi'.vi • :i.i-. L i;ihilni,-, ■ l-.i.U.T !■■ : L - \irdh ■.■ d.-dosiire| or zi-tn-day 
: previously Li irk i low ii i ullauks ill:- ouliide til" tho Si :ipcol"lhis Ihesis. 

The validity ui'a i uhicnibilily is nl.o c.ucmal :;i liiLs hue Miry: km: dial i-. 



Willi, ,i jNVI]l.\T. il,:. vnl,ie,ahl,-«i;hi,ilhe scow nl I Ins thesis. 

rapidly changing viilncrihihlv lam.iiLapc does mil allow all camples 10 undergo 

are developed, and Lhe system Mule ioalinauLisly clian^cs. Nevertheless, Ihc 
>iciKTal Ijitliiiji. .hi - ■'■■rk Lin: • cril able ■.■ hlh .hi - - h::i!e.r.ki eir.irLiiiiiienl. 

The analysis n-eti l.ini.\ Lnd O-kt Soirvc swcais. '■.Iii.ji rely ii|Min the 
Debian packaging sysi.Ti- i .lI.-1' :. asina \.i.u-ic,\l Packa^ Manama r n p L j - i-i 

|.i;IlIil:,' III- li I-i. 1 I I'll ill. .Mill ">'■■ : || I'. -..I .!■ I'. - \ 1 1 1 ■ . :■ I'll III' 1 1|. 'I I 

e:ni used on nllur s\ Men- such :i- .rpin h Lso.i syshiin I k.'il 1 liil I J mix. SUSF. 
Linus), or even Window- h:.i,-d iy-icni. diii was mil [kmc wilhin the scope of 




2.3 patch man 11 k i' ni int i s. mi I nc Nihility management 

r L i.,Ti i '..i • ■ -l.miv t :!„■ a vliL'I - ..- 1 1 - I - : ■ - ■ I ' 1 1 i ■.' li !■■ ' • i i • ■ 

klS.-ll li;:.ir IIil' |\;ii:h-l,''L'l: ;:|i L l in ill.' -.-l it..', u '0.1 ip.lli jOII Ol >h':ll 

components to known uilii.-rahiliii.-i d-livmin.'i the vulnerability exposure. 
Which melhotl desenlvs ilie vulnsrahiliiy exposure or' .1 system with belter 




is realil v available 1 ''^Tlvivu-av. keeping ;i iyslem up k- date with the inost-reeent 
■tvurilvpalclvi is imn.inaiil m reiki. _ evpoiLiie hi kn.v.va v.ili-L-nihili lii-s. and ean 
ledacinj! lh_ larsjcsl laelor ol' nlrjskm exposure 11 ". What if a publically known 
■ LilikTahi lilies exisl. kien ■.l-.oi._- a;.- ii" pakeies.' ]n Ikis -l iis^.' . j system -__n still 
Ilk-.- seourry risk- hidden- li\ Ihe paith-le^el. 



1 km L-u-i -i-ks inea-Lr.'l I., ivi^ li-l.-"-! 'L- lIN.-i.-ii: Ii- ill..-,- iii.\;m.|-.\I 

by the vulnerability lewl- This .'ill neeiii when Inen' is a period Ivlweeu LI 
vulnerability niinnuiieeriieii: :iiul Mil- avai ahihlv oi ha,' patch. The vulnerability 
lifecycle node] described Ihis period. 




does so rdyiny tin- vendor to Lit" _■ U -. _■ palea. hi addition. Ike system 

can appear mhiernlnlily-lree iinlil iIk- i endor indkales that lli:::v is soiiielhiii!! 
moil- h\ -sj:i:e a |M1_h. 
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bolli (lie source ami binary vf>,.ih available lor thci:- dislr.biuioii releases anil for 
supplied archil cell] re. This work may repeat itself several limes by different 
dislribuliuns before il solslion readies the eli.ail system, eat. upstream -release. 
In Red Hill Linux. Ii: R.s: F ■' I : i y l.iaa.v: or ■.ip-lreani re'.-sise. li: Debian Linux In 

Coiisvqiienlb . ^olf.'.uv [iau a,'- .1 i ni l ..: ■! . p la a.- I.- I !■■ 

V.Lii.XK ,h:,. iisli.'anl eorisaii:."-. Tlv liv. -uh|-|i i.i (hi- II |>snvaill SOlllLi- 
mposilnry may lain- som,. .an, I;ir .li-: il'i.ln'i :i i iisi a, is I.. pie-: up. lasl. ami 
produce apalch. Tins can rt.ull la a n.ap :>euv,va a public anaoinicemeril jnidthe 
avail ability (if a paleli. Tins pi"ocess ai-o depends spoil r.-lalivcly easy fixes. If the 
software Haw is his lib cospleil nil Inn lis.- pacing, a fix may lake some lime 10 

R^K-r.a n::ni: the :.ri i. al ;a' .; • e-ulor ::al' h . :a: le.o e .1 astern • 1 her.thV 

Kir an ui.ne.esv.ri p.aintl. lb.' -.no.. Vou. 1 .'I :. •a i 1 " i I .-. beiorv a ::al.li i' 

available can enable otlvi iniunli-r mi-ns ji to r.'dne:' Hie risk ol a system. 
Various b:inler.in;! lLiLjinit|ti,is can -.'iIiilli risks 10 system thai contains 
vuliternbi lilies llial [In 1101 cnrrenlk have palehrs available 1. Figure *). F.xample.s 
include confinement, rcsnurcc limilalion. and nlticr techniques can protect 
systems from these . nlncuhili'scs. The pr.icoi. r.' seeure^ con:i ,".11 a sys:en: 
can reduce risks in systems Ilia: kos: Milnciahle sul'niare. Tins prucess bettins 
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['lis IK'lilld. LlllJ lil.'l.'l';. ;|' I''' 1 . ■ l-.k-l I" I". " : ; I '.-'-'I' 'I ■■ 'l' l:'l lilill J "■|lllllr-| l illL'l 



2,3,1 Tracking Vulnerabilities in Open Source 

.■i: : li.:s i.u u.ljc llie .v..i-.v c.-\ p-...c^. I Iv il: e i .v.liw 

ess ^■.e\ ; l L1L1J...II-. I .■• i[ .il'.v.. s ill.' Open 

Sihii-. 1 LiiilTlilinil' le ; : I.- ..L. r.e "!!.■ :.l . ■ • . ■ 1 1 : | ' 1 : 1 .■ 1 1 1 |u;ilv- .;wj.:Ii desclill'ci 
■.vi:hnl III.' ei'illHMI ! Is c 11 , .'|-: k i;l;k|V:l;lceih. . 1 1;! 1 .., * ,1. :h,iv 1:, re- eil'ili|V,1.ill 
overseer (hiuniir. .11 |'r;:c:.cc: cusiinii;- ..he n-aiia.'cnic ii iii'.l '..Ken processes is h 
sp::ns across • :m-| 1. -■ . 1 >- .:i ir.:i. 1 -. -i:l a ■• ■ ip. 1-. pi.- eels. 1 v.:Linl:ii iil-i ^. 
distributions, anil liiiaks le ia.lis ido.il nc:.. This iklosss aspects of Open Source 



2.3.1.1 Not-so unique identifiers 

Knowing 'Uicii.i . ■11 ■ ,1 hi- 'in L-.,i m .■111. m library is villilTr.lbli' 

identification of software vulnerabilities has two requirements. Both the software 
:mil ihc vulnerably nuisl have ■.iie.rahhei.iiis ..ica :il icn. One [IovsiiskIc nf lac 
Open Source infrustiLiclure is I rial as iiislri'ivalio.is assimilalc solus-arc packages 
n-lieiini. Ihe p.u k.iee aanics c'.b crec. The resell is :. Jill'icull' i.kn :■!'■. ii.ki 
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wilneraMe iol'uvjiv. ()■!.■ ri.pl,' i - i i,' ii j r.- L'ii.ai io Hi.- Apache 1 1 [ I P Server. 
On Red Hnt Linus iyslems. il ii :.7 and nil Dehimi ami Ubnmu Linus 

I'll.' Ml II.' [Iinhl. Ii .Mil - •■. I I iiiiii i ii- ■ i.hi. i.ih h: all. l:- 

piopnclary i. ill .K ■'. I . I 'I LI. I' .1; li'lj. v MIL. I as I hi' Dehiail SCCILliK 1UM[n, 

nil' Red H:u Hun/ill:.. .S.- l- u 11 i ; I . SllliiiIy I'.illi.. ami other effiuls track the same 
vil '.•'. :■ iv ■ i:l:iLi :\>ili\:, s. riicr.'i'oiv. it llui Ii.- iliL'iL.U Li .:c:li r.i.ue il an hid' i'liua. 
system inav contain m.. diLcicu! ■ a. Ia-i alii lilies. ia- il :heie are two names fur the 
• ame • u:i AiLil'il:l\ l-'e-i- L'.SLinuiiv'. ,i siue'e ■ iilneiaoia 1 .' I'o; Ihe A|-aehe HTTP 
Server will have a inaav different identifiers assigned. 

I n.' \'al il Vj i-ei al.il u> l>j:jhii..' --.'-.il'. .■- - j ii.'iiil.il-ii ii.a i i - 

conflicts by assifnina each a unique ideniiiier ijCvl: number) and then linking 



nil'/ /ilovi/lt:* r.^'f'vr.-.o 
■tposurts ICVFM nihu-mbUiiy an 



Ihcie is no -i.ca i.l.-nlili. :..u- I, a • ... I ■ |i:ilI. naii.'v I lieiiiriir.'. 
• iihiciahil k .li iLLlinn .:inns :'ll;iiii. .a-ihi ii:^ i'o i,- L-annoi iI.llli ii 'vhich 
software a vulnerability affects. 
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2.3.2 Bi 

I'll,' liiii^l— ..I Open Si:iii. ,■ ,1, r. ■ill :^ also .ipcil' On.- mom Ii:i 
II,- lI,'.IiI|I.I Vl'l.-.r li.'.::l- mi: l:iI - ' -I. |-| co:r,pci vns :liul l:::ck 
valacrahiklics :i= Ihcy i'l;nv III rough Il'.c lavcr.i m'Opui Soa.^c orgam/aiions. 
Typically. viilncrabilhics he.' in ivhh a:i inilial hi:;' rcporl vahmided Hi the package 

n aaincr. v. a.' Lia.l irn- :h.- n.iIiiii:nm. a:. . :i .li. ■.■.'■ a ■■.■i l i ■. '. i:l:i.aal':li.'. 

aiiiiLimkciiicnL I:\c- Ike i-suc. :.ad ado- .1 :.i lla.' ci .n:il k.ahlc Mrcarii. kinux 
caslriKiliuns [hen pi ne ike a pa:ch k:r die li\. ap;i!\ il :;i :hc '. nlika ak c packages 
i - 1 1 '- 1 , ■ i I" i_h s: |- i I n- 1 1 i 1 1 - . - 1 i : . k , ■ 1 "■ i : ■ i i- 1 : i - aii-i;u.ii.i'-ii.ai:. aid |. ■.'■■ ■■:■■ ll '- a,-''. i:;iL k :._m- 

I lisl I'd'aricil- I.: •!' a "•nap-- Ml.- ;ir ||,': i: ; : lI. '. .h':ai'.a! J-,:l|-| lor a 



ported'' !•■:■ i.-LirliiT- idea',: • ,.-: 'i"-|s I Jill.-' a: ikanker- :i< Ilk 1 euiiiiiiiiaiLv. I'linn 
la, 1 ii|is:iL'air iia.k.i j.' n :.i a-.a i ' - .IK' iI:i li.a- |i:,. kj : ^.- ii-.a-iuiiikT. or cm 

mbers of the open source < munity at large nay perform back] ;i 

msiiliinj: in reka^i patches an.l patched hkiaries. 

Thi, process adds confusion '.i It'll id, nlil'yina. I lie patches applied 10 a 

One can mil dele inline ulielkcra ;'a:-|iaila:' ;i;kk::L'e is valncrahlc hy coin pa ring ils 
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'VISION 111 [Ik 1 vi.l-i.'u; ■ .■ ■..■i-i.ir . ill J ■.■ K-..I . -I :.paril .lii'Llir. Out 
-' .il-:' :i. II- l"i kuk-pL'i Is. 

2.4 Differences between Single-Path mn\ Multi-Path development 

The Open Source Siillwaro iOS.S; development pmce.s is different from 
proprietary, closed source sol'maic dcvclepmenl. T!ii- dil'lcrcncc allows a user m 
procure the "same" sot'maie in various diilcmtl \niys. Moreover, although these 
ci ieicnl iksLiiluilioii pM'.is I'.^ull in • ink-:- mania" anc '.eisiiMiia^. the ivsulLiiic 
•oil" ait .LLII 'la'c 1 1 1". ■ 1 1 : 1. 1 1 " i_l . . il. - .a. ...i:iil. aspects. 

Unlike trie nuinaiz.aiicii: "I' propriciai-. •oil "arc development Hint 

e*clusiM-ly cnnlioK Ik I. I, a-. -..I •■■ll-.-.a-. 1 1 iunri- I ' l| ..-a Sihiill' il L'vek'|1i 11 c:lt 
is :■ Cl-ll'pn-ilii-n ol ■:]."., 'I. •ol'marc p.ic.a!'.- .1. '. . loailvai may ICilcv. 
i-iiliI I ipK- patl:.^ lion ilv :r..-.i llain.a- m .il I he v. .a cc I.i a -.'.'cMie package irsi.'ia^. 
in a particular -Vetera (Figure 6). 



IS 



rhi arbitrary palli oiO.SS. iiom liir Infill nflhv tfavoliipi.irnl saeam lo lho 
aclLial compiled binaries lliat ran on a users system, produces certain diifictillies 
lo the idei.tificalion ol' sol"t«arc vnlnci alii 1:1 it's. T:i: compilim;. and inclusion of 
dilTcrcnl pontons oilbc saira-. is Jul' k: In; openness oi lite Open Source process 
[hat enables Lire compiling Lo Lake place in iLialliple locations. Binaries arc 
compiled 31 Hie siiuree head. Ii\ a proicct lulls, ia llic processes ul' variuus 

cisa iouliui^ :n iliili-l.ii: an! i : :. ." id '. d'.ia' -ace ie-l:-..nd:i..e a id 

lasl. and p.'iliap- mi.-l i:npia la ill.. I .■ -ul , -.:|L.on: |.|. I lilek pnrlmil 'vbica 

may .iccni hy :nosl any ol tbese entities. 
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i:ps:rcai:i il.i m i huhc::!.: Ihc vi:l i. ral\li:y '.III he conlaincd in each. 

Conversely, a package which oocs mil contain any kniiva vulnerabilities in Ihc 
upslrcam source repository, hill liial i.s changed :.nd lira piled downstream may 
. l- \LiliiLTiibililk-s inn ndiiCL'Ll" '. In practice, the process ol haekportinu nlicn 



2.5 Ktlattd Work 

Work tan relate 10 (his thesis in 1*0 main areas: Oin: llul of delecting 
. Lili ciahil ly on -weir- i. Ll'.;: . ■ I lull .1- 1 m: • ;il:v. i eats :;i llo-e in 

theNVD. 




simply checks if there are updates a 1 . ai'.aHc Lo a given syskau. and relies solely 
i.|'i:n '•■iidor-^i p::'i. L Ll :ar.:i iiilorniavou. I": fiat ol iikicn.aidcnL ■. r 1 1 1 1 . ■ i - .": -- 1 " i I ■. 

available I'ii: ma nisai'lcd I Ilia el. .r,\ the inline dial. 1 l.pihiliii: of s.^eins 
Willi die most recent patches -npplied hi Ilk- v.-r.dcr is crilieal. 



Advanced Packaging Tool tf.prl. which can compare the version of components 
inslrilled on ;i l)ehi;in-l\ised sysaun. to liaise cunenlK ;iv;dl:iMe and can also 
install ]ct]riircd updates. Amuher Lonl. j5:.-rh«i-vr:r5ir.as provides a listol" 
in-lulled package mines and llieir update slritrii iii the same manner, hut doc- not 
install updates. Similnr kills perl .11:11 these Inactions lor rpni hased systems sach 
as the Red Hal Updalc Ajcnl: uiso kutm us Lipldalc. v.hieb is similarly limited in 

VIlii- \ prop rie uo' s<.|iv-.m-,- ..-uilors |:n:'iele uri npehilc caeekiae ^er.iee 
klul periodiealk ellecks r'or :;\..il;il.l. •olo-.u .■ I |'Jal.'. h L-v. these agents 
nnly eherjk tor maLao ■.'.ill .- -p.vilk- • er.doi - i.pihn.s 'iid do not report 



en cheek tor updulcs I'rom a Limix system. 



npdak'i. n:i;l cvci ka'.orv; apdaks arc 1101 seenrily r.-.ak-d. t he I'SI do,-s 1101 
hotvever indicate pac'.ikvs. '.U.ica .■iii:;lii vulaeni.'i ilks presenl on llie system. 
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I'll: Jo a:, I ao. 1 ..'.u' '.i|».ki'.:'': no: i: . nln.Tal.il- lie- o.ii.i.Il' i:" I I,' 

.eildni's i.i.'ii :o ailalila ■ I.'- 

2.5.1.2 The Dcbian vulnerability lool IKbsccan 

The luol d-;- sr. ;-.:!!-. dnts lepml i luicialilc paoLi.^! llial do nol yel have 
available updates. Htmcvcr. the lonl slijl relics upon ■.emair b:i sl-lI inlormaliun. 
Because ill'.- ccb;:o.:o.:: 100] relies ipiiii i:i:'o:maiiiui produced by Ihc Debian 
security team. Iho rc:\ir. sApcnei.vs lil lakaie'. ii:' ll:c Dcbian Sccurily Team 
process. In souk 1 cases. ■ iihvraliililk^ .. . ii- l-L i a lI ii Ike NVD. and |ii oso:H in lite 
list of I >;tiian Security ream -ioi io" items ait not pail ol'llte debsecan report 
For example, debsecan did not report a current :jpg vulnerability CVE-2008- 
1530, which had yet to receive atleitlion from lite IVbian Security Team (as of 
04/20/08). 

by band, ii vulnerable • ■- appk ::> nackr.jt.s v. iiiini III.- I h'hian .li-liibiilinn. In 
sonic casts, a vuliii:::: ^i ih does nol :o Ih. paLknac nuiiil.ii i.'.i Iv. I Vh.nr. 

e.g. CVE-1M7-4723 lists Ibe "Aoai?ht HTTP Server" as vulnerable: 
however Ihc Dcbian sccni-il> lean: ikies mu a; ice. rnlltor liattnanik Online, a web 
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is "Iki: llic Slvui if. Tl-.mii ars mil .ilicc Lh;-L :1k 1 issi.c is Si-cnrv vuImIl-lI. c 
CVE-2005-254l lsl : 



.dismissed by tlie Debiari security team: 




Because del: is con uses dam generaled because of Debian Sccurily 
Team evalualions. Ihe dala-.Ms represtni a -filtered" hiIml-i of ihe NVD. The data 
consists only of the NVD entries considered rale vain by (he Debian Security 

slnii'.hili'iLvnr-d mian- ::' il.l.cinii' viiliviiihl.- -•Mi-;-i ■..tmi-ik and paeka:;ns as 
the security team has converted the NVD data into a Debian format. As a result, 

rcsiUiiri' |ioi.ibilil> ill' injiiL-liii" errors. 



:- 



Iii addition. Hi.- LX'Liian Scuirity Team traits issues Hint do not have an 
assigned CVE number" 51 . It follows that more information is available to the 
rleljsec.r.ri analysis since l lie .kiln include- L I- 1 1 1 1 1 1- :l1 kih sources from the Open 
Solus::! coinmuniiy. Iiowliyci oiiii c!in spc-nukm: .".Linlnnlly this security 
information will eventually appear in the NVD. 

The '.i-.iij within ihis diesis cvniores uii.'llic- Mil ncral'di lies :.re slik 
prcscnl on a fully patched si stem, hy coinpniiiu: system files In publicly known 

VLlllLLTLll'ililil'S illllll 111'. 1 NV1.1. "I'lK-l L- U I i ". I k" ■■ ■ 'l k lI.U\- ill tlllS niliL OLIlside ol 
i ■ ■ lioiSL'S.n. IT- U.n' li'oi Ivit.n ill lor ■.Mir-.'; u-. 1 - lIshiKV i -'[li-t:i lit: .I.IK1 
ami ^ill not del"! ■ tilii.Tnl.illiL'- himJ.' domain ol fie LMiiau Senility 



MiiU'hins <1SS pack i in,-, ulth d i III' iv ill iiilii.Tal.ilih (111 til simnv. 

such as the NVD. This -.ss.ie is ■.■cmr.d lo '.lie lelktlfc a. nonunion ol ssstciu health 

[m-use mapping -nisi evi-L h.'lv...vi: lli. 1 'Wi'i i vli'..ii-.' and Unit listed in a 

:i luiunstie approach u. n-.-iLsiin-j. t i. jiiiii: n |.lLiihor;i in' iiiaiLliinj? rules ;« 
i'.ii.iii:,- rin.chos ■'. III mi Ik si.! i.l e iiii i'. s ■.■ T.c .1:1111 iit pmencos 1 In: 111.. 
Dcniaii. (Ik t.pslrc/Lr.i pneksrc mninlaincr. nor the NVD itself. 
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The lliihtiI rj i i i i n lj |h li. 1 . ■■■■■ ■■,■■..■...■1 i-hm ,'niiiies are ambiguous an 

01 ■■■ 1 1- :n i i.- . ;■■ bd .1 Ltomatet] systi 1 i- 1 1 ' efoR, nitomated -• 

in on\\ il'v,' ^o.iil' ?lv 'l-.ii, -,\:iiii.'lI h. h 11 mar , ' ::lu;iiii'i. I )nh .1 ir 
■iiiiiih' m.':i,iim ,-ii:i:>Ii: x.i|..inak',l 1™: = k'liahk' :ir.l :k.'cinak' ni;i:cl-h:i. 



2.5.2.1 Matching with tlir Vilinikil \ iihu' nihility Database 

TIk' \V[> ii\k-< u|v:i li -:i:do 1 1 : 1 1. 1 : ^ : ■ -■ : ■ 1 1 - ■.- : 1 ". ;:v.iik'l k: .l.'i'ii'. USS .1 i.l 
link I'liMs 10 1 l'l 1 1 ] /-^ .Iv ui i;|i.. L I,' :iLi,:i 'lii| - ' ■.".'■. .■■11 |-.k >li^v.'s lluil liiv ik'ih i'd 

••■:■! k- "I UN LI|ISlli L Lir|- •III.IL-,'. "'I'-'l' Mill 'ILI''' LI "LI',,'! "''I - '',' 1 "''! I L' .Lllillll. Ti'' L 
d-iiu'd walk nl Llil I ipi'il S-.'LI-;.' |iiiI|l-l1 i- ;] n,A' -;II1V. ill,' IiilII LLllllH'l hi]'.' 

ilipL-rvl-^Lih^'l iiil,^ 'UCl.^m'.i k . ipnl .: . iilri.'iLihiluy ill ;i p:K'k;i^,' may 

simply til ;*isl nidiia i:s iltiii ,;i v.n:k kviiiiM- iI'.lii i, ill mil of I lie ode was 

mutdiinj i«iksj. ("iir.iLTKi'ly. iic'.iii5lic.i:n iiLi'Llil'i.!iLii:n. ujii treali; Diiuimil 

A FAQ cmry prrsnUfi; lii: Ilk' NVI) W™if may uplliin why OSS 
villikTLll.ililieSLIn'JilTkilHlbv IHeNVD: 
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tzie lermq " kei nel -*.pnL^ ' an;: ■user ^paee'' :i: dislfi^.i sli e.iU'^iiiri e< dnserified 
1h the FAQ jis " prill of I ■...'eradr.^j s;, s:enf "iiidepeader.l ..i" Ihe nperaliny 

determine '^iieljie:- il iv.apies kernel -p:Ae nieniorv i:r i.-er spaee memory .vhen 
e\ee'.iliii£-' . 1li:1':k , ii:i"il l . :1k 1 Ozier. Smnee meed l i s l- ^ die 'ei:u ■ Kern:! 

Modulo" IU rcfta lo li eonmi'i'.ail s In m Ihnl ''I' ' dmci". borli of which 

■ ■n.lhV f.i:;Ka--.'. k,iai:-j I .■ OSS ..p ii-.t: i i-.i.Ii I l.i 1,1 iani a l:'..m.l cilice 

Open Source Soflwnre is a significant pan of Ihe software world, and is 



S..:i;i.'. ri.-.s u,.i:- t 1I:::t Siaaie SoIpa.i-v j j-.i .1^ I k 1 ' in 'I'-^d- 
source software and both benefits from the services of the NVD. The NVD has 
the opportunity to overcome (lie problems mentioned in the FAQ and thus provide 
the same support to OSS as closed source. A solution that incorporates ontology 
into the data model of the NVD, wiih both the terms and architecture from OSS 
and the Linu* Kernel, will enable the NVD to support the security information 
needs of OSS syslem.. This Kill enable Ihe NVD 10 provide ui 
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in ion nation lor all software regardless -.'i i:- development process. More 
oi-. k.i. i • .■■ \ V I' ii ii .11:. ir • .1 .■ i- Section 7.1. 

2.5.2.2 Matching with the Common Platform Enumeration 

The Coram™ PlnUorm Dunne ml ion IfPF.) ink-nils to resolve the issue of 
diri'Lienl duniiiins usinu dllL-rcii: i:.uniiiy a-zivciilioiis hv iiiM-in;di/iny Lbe 
inforiiiiHion. The (Tli uims Lo e-L:.':d-.sk ii M i'hMML i:..|:i:i:j d.iiidiird lor use by 
unionised seeuril. LouU. t 11:01 Lunuk-I • . :lii< •■Mill : 1 1 niil sohe iln underlying 

iSide Ibitl ur.-^er.l- d.vr: i. ;il I lei.- ii i.l;iii:mn' i,-[iil--.-ii: .■••■■rilinlK [he '.line 

canonical ^nlily imiIi Lli li'i-i-ri nuiiu-s. r.ven atu-i curri'miy LTiiuiieralin^ vtlIi 
|ml v;ii'..'. die-.- ihn'er.'ne.'i ivill remain. 

When the eniimcrntion is complcl..-. il will require ^pnisimnlel]. 

■■„• 1 >:,;i S...i:... n\... 1 :.|,.' d.r.nsel unwieldy. 

^notl ■■! i ..1 ■■ arises from the efforts io normalize the □formation into :i 
slantlunl Ioitii: tiv 1 l'l 1 11 i iv 1 11 L-i id' 1 1 1 1.- Jt.u sliuiuie produce u lossy IVSllll. 
localise linsli.is ;ire r.o; ;i l,':'..!l l-Ii;iiiili.,'i in XML. I':i:i enlry dors nol ii'|iii*SL*iit 
any Debian package: 
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litis ti;i-l: K 'iii[i-.nli]i l: 11 i.;:i.-s.'ii:s III,- ,1 : l.'i .■, iiv In.' ■ ' r III' 1 L-pslnvua WT-i.vi 

of die package (1,3.34) and the Debian update version (4). Ttie dash 
r.'piYsi'iv - 1:1,- :VIH'.l.| -\ Ivl'.wul 1:1,- ll::siiva li lI. '. ,'l.\aivll .11; I till- 'M'lk .il Ilk- 
Detain package mitiii.aincr. I .nst is the ■ iidiealinn lhal litis is Ihe fouitb package 
uticjstd hy IX'htiin. based '.ipt'ii die upstream 1.3.34 version. 

AiaMbcr L-iiLrv liiilkcv ilis-.ues Lie Delti.m package olvis-tiny. by 
ivpl.icius. III.- ,kLili n ill: ar. underscore: 



nuances rir' niulli-pa[|-i -ivi'i are .1. '. .I.\aiv:ii i Fijtiii'fs tn ann'lalc.l 'A illiin Open 
Source version strings (Figure 7). 
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2.5.3.2 Mulcliiiii; nitii Niilinmil Sufi" lire Kill ill] it l.ilmin li'ilmiqii,". 

TIE National Software Reference Library (NSRL) is a set of software 
■ ijl'iniii, l'^ ij-l'.I [•;. Iim - IV -. h i .;■ I'.uvi . '. ... ik, Km-, ot' brail dnla^ls 

lt> reduce the quantity i'f files I'liNliiT evi.niiKidon by piisitivcly 

identifying file.' niigiiulinj' lh»n kiimin Miurtcs. ("unirfflrisuns to the reference 
dala can tic [ermine Tin 1 dil.LTCiiiT Ivl'mn syslem lilei lu ignore, and user files 10 
examine further (Figure 81. 




C'lii . si.|l , ..tir, J ^i^i.iil.iiv 1 . |".-i'.:'i. L l. id.nlih. • i.fkT.if hies on ti svsLein' 1 
This depends ii|iori Ik'" ■.'.■'I llii- niLllii'il Lifi.--lii.--i !.! [he |"0li;ein ol ide<i[ilyin£ 
OSS. Using signatures eliminates the need lo construct ontology to map various 
naming conventions used by the OSS community to a single identifier. 



il 



>ri l:,'l.'.'.-| .1 v •[.■in pLU:kUa.' lia-li. a-li.1 
.' l'olk"vin£ Ihiiv oii1l-oi]1'^ d''|Viidinp 



I) Matched hash is associated with CVE number 

• package coqtainS a known vulnerability 

• tins data I ."ir:i r I . ..I MihHTiiM.- •oii.vu-e 
2i Mak-iiL'd hush is \OT s«;i<iu:cd wi:h CVE number 

• package docs no: conlain a kmi.m vulnerability 

• lliis JuliWl n ils; L.'-ii;liu VI I . 'l:v. i;l-'i,'- 

No Mitch 

Package unknuwa. durusrl will not cunlain luliiLTinilily 
infbcmatioiL 
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discover that each packages ha. an average ol" Mj.S3 changes per package 
(Appendix I). This finish. estimalc indicates thai 1 1.54S.S07 hashes are needed In 
represent Ihc cnricnl ll.'hiat likli release. We :ni.v ailil a second dislrihulion 
release, Ubunlii Fcislv. 'ikieii Rinnan-.- 2I.IH.^ packaees. 7 are hi Ice lures and 
appn'iiinalcK lieee-i elranec- per packasc c':ni' ;ile:il I" 'I.&22. ITi hashes. 
Together, only these [mi ilhinhrivons require 2.V.S71 .i)r;;i lushes. This is roughly 
equivalent to <h^ iiumlvi nr ha-lie- i i Hie NSUI. applic.;iion lile I i si- However. 
Olif liash sel mil.- i. pi. i: !■■ :■ .:r. i i '■■ihi ii-. il;.- ciineiii releases in llehian and 
I hunm. ii;il hi,- ,-r.liic ,r:p\nk\l release srls IV.ini :hcsc KisTihulions. nnr [lues 




hashes ''I i li h i L-r;ih--l l- soil ii arc. 



I'll-.' se: i'iai , ;n ia i • a I I lp.-i v.i. S. ■ I ■■■ a-.- p:... h.i i. ... ii Tii.' 
diVn'isilV Oi 111;' Apiiche I IT IT V- ■. ■ I la . I. a. il l I - 1 " -J ■. ill aeial.iliU ill orl^ 
particular instance of llie Apache II T i l' Server dilfievifi. ISecau.se hashes represent 
a unique signature, Ihcy appear I,) he an aicsl solution to this problem. 

The Apache HTTP Server is one ill approximately 5') projects maintained 
by Ihc Apache Software Foundation. The Apache HTTP Server code has 
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HI] tk' ISO 1 1 1* Se*eri 111 J.-, ii I i'I.'j-,'-. ■.■:.h i:- ■..!ii.h li:i. I i: L l,'i^i:n.' Ll|l [0 SiMV-tlliee 

minor releases (Figure 10) 
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■Xh?i ' I ha-'l. 1 ' Ii: -.■|>--.--.'i:l I I,' 1:1.11 : ,-|- 1 km. ! ml- ill.i |- lit- i i 0[|.'|| Si mi 

software (Table 1). 



The NSRI. hash-scl ll[JS_2l'/_f ainlains :."v'J7S.M7 hashes: il is 

approximately 2.9 gis.ahr1i.-s. AsiiimiiH-. Ilic (lalasel needed to represent Open 

sLa; wliL'ii LiiKjompressed. 

A VLlllLClllllil'L. l'".'l IKYll- Li - .. ; i m i : : li ii.- :1a- •■ ^1.-1:1 |--:.^-kLLL=f^ I'l lliil^ in lilt 

■:iilire daiasi-i mi a daily havs to ua.k <h.- djiiy diau^es in vulnerability 
36 



i<] ion nation. To do -o. :1k 1 Ii.'iiI nn^L il.i.' uHi;kl .mii.t.1 ikiu^ol and IliiTi 
.■;Kh .■mi . ami Linnixi--. 1 I 1" IIi.I'l- m i -.-[■■iv Win II' i- |iO'\i''k'. Mil 1 
-;/■.■ .11 Mil- .l;ia-. - I ■-. | ■ ■ I ■ ■ -- i 1 1 -. ^- I'l'i | : .1 r.ialii 1 .1 \ amil^:- lo;iU nil.: 
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The approach discussed in [his work can be applied lo other Open Source 
Distributions e.g. red hat and SUSL. These different domains do require that some 

use .rpm packages. This dues mil picvcal [hui i" analysis: the rpnt formal has a 
comparable Kail scl mm alkv.vs similar cjiic-ics as . Windows-bused systems 
me also conducive lo Ibis approach. Ihcrc exists an AIM which enables software 
interrogation, enabling llie ccn-.pariso:i of luliicrnbilil; data with that of the 
system software. 

3. Method 

vulnerability. The s' stem cm: either be active and used I'cr ulher work, or a lest 
system, cxprcssl. intended lor these analvses. The les-. does no: require special 
•• ■ i pvp.. ration, avco I !-■ :i I' l::;i' i-|U ho Lv^l -cir.s lino i :blai I: lie tile -.1 II cut 
Wll lI:,I.i I aua';.d- -oll-.;uiai"l: fie o.-:eu- ear p.T.aiu :lk' 
; ivestigBlkm .■■ Lboul ■■■<■■ interactions. 

3.1 System used 

Several Open Source Soiiwarc systems are llie lesl beds lor vulnerability 
analysis. The security patch process, like most Open Source development, is open 
to ullow uu insider's perspective of this normally hidden commercial activity. 
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Hie seleuinn ol I'l'triiu aid IIH.ia-i Inna tie M ini, iio-'il'k 1 elio^es ol 

I i .h-li il'l.li:'! ' '■ii.il i i - iiiIhim VI' a I. .' : i I'imI i,;;a i. lo |in:\ id. 1 

pac'-ai'.e maaa^'m.ill ;i daa l-.il I'.l'aa I .deb] packages. 

Furthermore, Ubnnlit ha. :i larger and mo/; divert repository of packages than 
other popular distributions such as Red Hat, SUSE, or even Debiari. The 
rcposi lories contain oliie"«isc miai iiLl.ihL^- -ak'kajcs such a- pmpri clary drivers 
and nllicr ^ommcreial s'ilLv.;ue innkiny lor :. nii!v .vcl'. roanded lest ol system 



3.2 Heuristics for vulnerability detection 

I'v.o 1,711 J.'Il -i i ii.' il pa n. i' I -.-I. ii- ; ;iL h. ,!. I- ' I. la.a al 'I.' ;l- 

defined by tlie NVD: 

I . The system package appears in the NVD, 

'■, I wasiorl ill IIil' •■. ■ i I'aekaai' ipjl.'ais mi llH' NVD. 

The first heuristic deiermines it" the NVD contains an entry for a software 
package. Tliis indicates I h ■.- p.tc'-in'.c ha- eonpn ai-d a puhlicly disclosed 

version on the test svslcm slill contains llie vali.e-ahiliK. II" the package version 
from the system is greater Irian nay ol'lhoie listed in Ike NVD lire assumption is 
thai die software contains a fix I f igure 12). 
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3.2.1. 1 Name matching 

[he matching system mnsl i ad con i" i lie i i. .■! in both the NVD 

Ih.i syslern; on ;i iy^k'm. 'i::'m;iiv n;i n,'- i l I l- -i i ■ |i:idoi;vs: iiLinv collisions 
would nol jlln.v llv o:i,T;iii:i:' syskTii lo .iek:iniiic 'vh.ich com pone ill lo invoke. 

determine vulnerability matches: 

iVtiiitinul VithirmhiUix Dniiir-iiw Versitm 2.1 

NVD is the U.S. government repository vf standards based 

Content Automation Protocol fSCAP). This data enables 

■ ■ ■■■ 

Program (ISAPj". 

thix product that are affrctrd by this yittii'-rohittty an 1 



II LI [ILlck.iyc IILlMC lll.L^lK'S LI W[> 1 1 LI II' I'. iK 1 |^xkLI^L l< ' VlllriCl Lll'lc' 

unless fttrthei est heuristics can change this result 10 ho^liio L i r'i^urc 1 2i 



*1 



The NVD documentation contains the following information for the 

Represents a I'ersi/Mi nf il/i. ^/v*,rr»r rfmr /.. nffi-ctetl In- this 
vulnerability. 

Attributes: 

vulnerability 

I'hi- NVII ..li;ir ul ■ iiIii.'.liI.Il' wi-i;ir- in h.i: IS;, 

cilluil L'rll>illn'IT.liil;J .■•■■n M.h '■ .'I .n " I i'' I i-l ii ill n "mill.' •vision with a Hap 

lo indiealc Ihnl previous versions are also vulnerable. 

Because the WD fails In recognize the presence of major release versions 




Unfortunately, many issues diminish the effectiveness of automated 
vulnerability detection in Open Source Svilc:ns mini' Ihe NVD. That is not to say 
Lhiit in snme discs Ihcse i-sues are l;i:v.'I' ahli Ii\ .iiiiii;i:i iavikenlion: hii.vcver. 
il.:: I. -.1 ' 1 '"I.' i .1 ii.": .kl' .'. i . : i ^ ■ .• ■ 'I .. ■■■ i|n Ii- .i.il'- :v^.ic>-. 
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I- 1-1:11 p.'l.n: •■ ■ .! 'll'::'ik.n\k .i. l. : I V r. 1 1 ■. I.l l. i.: --.ill.-. ■■' ll :p:vat. .11; I 
ni;i!,iii : ' Muse e -i i--^- 1 l i"i I > ismi.s i i' Nli'. 1:1,^ may undergo I'luther 

examination. These jiL-inislici :ilsi> fail on the side of safety 



Til-. 1 :dc-|Lili'-.ui:u: "I ■ nliKaalile ^'Ii\..l:v i< a 'ritieal CJIlipOIICnL "I Llll 
LKciiiLlli.- analysis. An io\\il puyli 1 . niakli li.'O'ecn an .al:y in lilt NVD and il 
<il't.';tiv |Xii:k;l^.' ill. .1 -.-^■iv riii-1 ea-Jic ll ' 1 -i:" '■ .'ll ll' 1 -'slcil- r. 

as that listed as vulnerable within the NVD. This is to ensure Ihe results do not 
contain either false positives or lake negalivci. Sol'hvarc packages musl tanddoi 

Ihe de-facto identifier on il system. Two packaacs K ith the same name cannot 
exist in the same systcai le.atiiai. ]\:'.\: inliar. anion resoles name collisions 
present in diltcrent locations. 

In addition lo (lie unlology issue described in Section 2.3.1.1. a software 



lie same: however, the package name ean ei 
depending upon the packaging rules lor Ihc various 
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Debian a Ubuniu Name NVD Name 




versions, and [lie number of versions ar.> less numerous. Open Source Software 
l- i'::iiiL-ii: i. pi.s.n:- ;i l'iii: r - -lii nir iIly,'Ii':iiiii':ii '' ■ new I'ejnires 

progresses. 

descriptive li-rms ll!1. l v Li - NK 1 '•■I'Kii: iitiinl^T :ti iqin'si'ril lIil ^:i;iii_li's. k^in^' iihj 

liiLs ailililkiii.tl i-r'"-i iLili' -i .;l '■ '■.'^ :i .-.'i ll Ivl.'.'.-i p;i'- Ll£l- * frsions ;iiiiI 

those in the NVD (Table 3). 



Ubunlu NVD 




I :ilik !.• |>1^ ..I swum \ Li ^Ii.n-. ai,<d Ihu. M I * ii.iiii1ii'|iaia^ 

A smipl. 1 L.'rii|Xi-i"vi h. i it,- i- i.iu .: ^y.l. u • ■■i-ioii and the snl of 

versions wLttiLr o CVF. is siill nol possible, ihe version formal whicli typically 
contains multiple decimals e.g.. ixi.jii.ixi. One additional slep is requited 
1'eloiv iompariny Lik 1 pn.L^e llfk. rvf ■ crsiiaiM .'.-|'.v|-.:i:e both inlo ikvinnii 
format (Table 4). 




h.'tliisiics contained i- : 1 1 1 '.Mat I l is I ■■p-. I- .1 n .J.rrlnl^ function. wIli-is^ 

the input is a paLkaito ami NVII tlal:>; ib.' oulptil is :i lieu'iininalion ol 
vulnerability. 

The first heuristic matches a package nsinc In soi'marc names in Ihe NVD. 
Although matching names is a s i 1 1"_ |:- 1 ;.■ s.rng oinniiirisi'i]. Ibis simple match 
function failed Hi produce a signify- it. number ol :inshivL rcsulls: 



Stfirdiinj; Ihc S V 13 for viLln^iariilitici nnrilishnl in iho year 20lT:' [hnmivh 
SeriLcmlvi- thu .-lahalirn rnvilnccil nnlv Mil' f.ill.v.vh:'. nine mnlcliL-s: 



3,3.1 I'mhkm.s willi ease iiiitlching 

Widely puhlici/etl mlr.nnhilitiei in -flic Mrvilta Fo,Liidatiori's Firefox 
Web Browser m e missins' I'nim iln: ini;:d mull id. \\ :i; l.i,- maldi i'niKiiivi 
fail w malcti the Mozilla Firelni Wen Browser? 

TIk iL'aM'ii ii Jul' :;i ;'s^ uaiiilhi' Liiiu.v sjMfnn i.;. nuniL's Nun dil'IVr i:i 
■jjsc bin an: Iht sank' : .n .-11 ■ 'I:kt lis^jcl-. ;-.iv ^iia-.'.-li'iiL. In ^'iii'.|-jm. Lin NVD 
is <jnw-ii]sti]SLIivn; anil liMiuu-is .1 mi\ "I u|v:it anil l-^.v !.— .;i^ njinis. "i"hr:iL-3bii:. 
IIil i i :i i- i-"-i li.iiL ii" i i iii-i li -ii Ljin iL- 
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■\IL.T III,' Hlll.:iliLUV..IU 111. 1 H\;;.liill;J IhHlV L...-||| : ULlJi:i;'iml 

- I ■ v iii. i j:lin^ Hrefox: 




c-iiIiIl's oi.' in lo"vi -< a-,- ml n-.- i i i\. 1 1 civ I'll.- typical practice nn a I .inus 
sy -l.'ill i- I.. -I-,- all li"'.-r--:l-,- I. :|,T- pa.k !:'.- nan,'-, yd tlv \YI > -'Hi:a:il- 
CVE records having the product name ambiguously represented w i 111 □ 
combination of upper and lower (Table S). 



PackaflB Llatlligs CVE Number 




Till- rl;l\ mil .:■ I.- I..- I il mi ill. I I l;'\.,-wi . Ill- pi aerie. .11,' .TiK ill 

:ii::.ii-i.i:il- h.-ailli e-valualii'n :;v.l ri.ici .Iri'.-i. -in.ili im. Ivl'.'.e.i • iiliie-rahilni.N In 
(I i i'h'c i-cri t pact ages .rich as Ant' an.! ANT. On i.iinix syilc-ins. the letter-case of 
a package name prcvcnls name collisions: i.e. the package AnE (automated 
software haild luoli isdilicrcnl I'riim A XT i desktop ISDN telephony application! 
:.i:lI .el .I:.- •■--l. , ni .\-.ii Llel.a niiie iiie el : l • rence hy the case. 



SA2 ]'ri!l)l[Tii> nil h in.ij.jf irli.w- flamr matching 

The Apikhe HTTP SeiM 1 ! is Op. 1 !: S-.'iree We':. Sei'er developed 

Historically, the Apache HTTP Server has contained vulnerabilities. The Apache 
HTTP Server version 2 is present on lire testing system; yet "Apache" fails to 
lippenr ill the iniilclu:;! Iim Why s :hc :n:ileh rimelieii l.i malch I h Lr A|ULL-ho 
HTTP Server? 

The ram ii due to the NVTJ iuh t L i i I \r iu 1 1 L i I L I i^j ivtwccii the niajui 
release* oi" Open Source Siit'twinc. ('Linenrly. '.lie Apache Foundation produces 
Liiree maioi-icleases i'l ;lie Apache HTTP Snivel. TIil- les: systems contain the 

Ov ;l CJ3e. -Sensitive ^'llllrll l.'l "A::lilI-.':' pi. . i.I.il, ■ i;i r liil. h.'- withill till' entire 

NVD. 

This is because the NVD lists the various Apache Server inajor-releases 



2003 by the name "Minmolt". T:ic Apache Open .Soaiee Inundation mainlains 
i:iirnei'Hi- me pio-.'h in adeiv.'ii the popular -\:ililIh.- HTTP S,:r.,:i. 

Listing the Apacire HTTP Server as 'apache' also does not differentiate 
between these projects. 

The Open Source development credo is 'Release-Early, Release- 
Often" 1 '^ 1 , which is oilcn l.iiiIi-ji} It' iikieiv L.immciLial practices. Open Source 



ei^-ianae, 1 ' |.yjl. y.\ |>ina ii, idea- ii'- ii i- 1- 'in^ llie-n i n:' :he 
eoilllllllrlily Kin I" L'illu.i: ..ii C J : : i ■ 1 1 S;il I.-.- • .i|-.-. I,- :ie. . I.i|. -|.tI i.-l,-;v. are oil 
almo^l-LOiilinut'ii- William ileraliw •.'i'ioiis. with, hoi h fl;nv-ii*es and new 
leal lire <levelo|>:nei:l eeeiirria:' :il I i,- mi iv lime, and .1 :1|-iv-:.i i|-m'. a: die head til' Ihe 
sffeam. An unwanted reperc ussion (it early release development is that the 
(Ijfiwarc may never toniTiielely I'ini.li Ihe development process: Ihis praidce. il" 

11- i-. pni'liee a Ii' de-ien: .el. :1V. 1 r.i:: e |-^.- 1 ^- : i n"del iiili' ium the need "I 
■ ■il,-i ;:i i-.- iKers i:-..liii i-ii: -oli^aie -:ol>ihlv. Ti: adores- 1'iS need, the Open 

I L 1 1 i: . ■ L-|lil:il,l,iiil\ ;II[,T I '■■ ;i eloia ilea 1 . Inanel' !:• 'loniai;'. :lie 

rieln-i.'-i el' ii.-i' lealn-e^ a i;l eoaeearra:,- en :.e-'le are aihili/alion. 



Thii M;;rji!i/ina. Irehiiit|ne ■ leaks' I lie Mi^'mare. ereating hen branches, ene 




branch Dt'rlie fork bein? "-niniHeanlk" tliiiertnt (Table 61. 

ii!*n II. modules dial uork on nr.- leak nil aei '\ l^-- k in lie oilier, calls to llui API 

discussion, ieen-ily e-.u'.crariiLlics a:Tecli:i!> one rvar.cii ol' Ihe I'.irV nay nea a:T.-el 
the t>tlier. Using PHP ; : . an example. CVI: :(;■:!; only ulTccts PHP 5. and 

CVE-2007-I2B6 only aliccls PHP 4. 
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Ir' Ap:ichr' I ..i ^ pre^'m .111 ;i ^1,'in, :i:r :lv ^ I i"i n j? ;i;-;iLlk'' v. ill 

piodniv I'alsc-niKiiives I'liim mlnn-amlnc. 111 A|hc:il :. Conversely, searching 
liir ill u~ siring :ip,n--,-2' will r.of niiildi ill]'- uilrv :\: :\w NVfJ rind llicn 1 :'!:^ 




niajoi- release version liable 7). Itoiii ihe perspective of rlie system, this 
combinr'S otherwise unique soii'vrire \eveillu']e=s. this maiLh iniiLiioii 

h.L'iirkiic nilliL'i;^ Hi -he P'.iIil:]. I., ,'rror in ijver *il lnl.'e posilives. 
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'perl5', and 'perl'-"' become the ^aich ^niiiy L ;.:-irl', Ihe packages 
L ;.':v.>1' and p.:.^';' become L php' etc. 



System Package NVD match NVD Vulnerability 




Combining major-releases of OSS discussed in Settion 3.S.2 also- 
heivases the lM:'M'i.I1' k: ■"■:ip;.ie • • -1cm ■ • isma- ■■•Hi: a NVD entry. The match 
function must i^uiuic iIk- nv.iia lel.'Lh.: kiiinU on III. 1 ^slcm. and [ken treat [In 1 
versions found in an NVD i-ani a- eomiiues Thi< i- required because [lie NVD 
treats major-releases • m <■ ■ ■■ sand n - separate entities. 

Major relive versions of OK.S confound the notion of the "normal" 
commercial software mode] of the NVD. which typically assigns a single CVE 
product name lor each vulnerability. As an example. Windows 95 and Windows 
98 have a simitar aide base yet appear as separate entities in the NVD. This 
make, sense i.m-'i K-pvenL :. se-ai.e.e body of code. 

This i- nut In 'Lh Ilia: li llav.'s et'le.l • aariol -pan ■»•■.'■.. .11 u\;i:a- 

releases — il can. ioriv. ai. -.. I. . t e..i i: ..■•ua -.edy nt coil. 1 and si; 

11, } eaa -kaie 1:1 1 11 en * .1I11. -.f'l'ilie- :iim'iluc.'.i i le III,- 1 eomrr.oi ■e.ce\li:i. 
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• ulnerabililY resides wilhin :i single major release oaX :ind Ihal Lhe previous and 
later major-releases are una fleeted. 

A sale ml'erenee is In assume ah prior releases eomain ll:is • amera'rsiaK 
ap niilil and indudiiL£ the .ersioa '• here lite . ulnerabilily lirsl appeared. The 

• .' !".e a lii:''^ ■.' 'ier van/hi ua 111.: \'V I! Waer :. •"Ihanie aaaka.ee h:i' se* eral 

einieril majoi release versions I e.g. Apd'j'ie. I . I - :i'. etc], the sale inference 
is that al] prior releases of llie • niO'.aie ■ " uahi iln- ■ uliieialiility up until and 
iEicludine. lhe 1ii£|il'S1 version listed. 

Yet another problem arises when match hi" vulnerable software versions 




Ik' ai^e li e hieaes: alk' Leil version i- i Ll I i I -i : ■. an. • crsiou ''I 
PHP A will also esaaiuli: .1- • ulrkaalae. Y.:l ' a is part 01 .1 separate iiiajot- 
release. body ol eode. pale a .aid re 1 . : 'i"a pr:»v^s The Open Snuav eiMiiniiinilv 
••ill [lKXh.nji. 1 indi'idaa' pal.li. 1 ' k'r .ai.ri 11 aini-ielease and ''ill increment their 
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lemons individually. This camioi lv discerned 111 in.- c: \--h-: l-hhv- »hm i - r n 

The <prod> element of CVR-2l!07-.i7<j9 generalizes l he major- re I ease, 
of PHP 4 and PHP !; Irierct'orc l he n'.alch I I i nc I ion must also by (h opping Ihc 
release number. However, Ihc :i > element specifics versions of PHP 4 and 

PHP S. In this eiample, versions of PHP 4 will also evaluate as vulnerable 




Two issues esisl wiili another CVh entry for the Linux Kernel. CVE- 
2008-0001 that indicates vulnerable versionsas: 




II- til.: i . J ,lilll tll. L . ■.. ill :ilv. a. • .■ . \l .|.:V a- . I le.ahle In ,; I r,lli:lii lie 
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Vnlneraliiliiy C'Vli-roos-'jlSS lias a sond dcsuiplinn of rk.- ranees in the 
different i: - m.ij.ir I. . . . . ;in.l 



L n I on 11 n a U' I y, ;i i'li-i^-li-M di'sciipiioii lli;n eoiunins iiiformndoii 
necessary lo evaluate an Apache HTTP Server version for a vulnerably is not 




extending lo all pic. huh • crdons beldrc .1 mio'wi vliIiktllIiIc version, or 21 
'clerical' error. 

Again, CVE-2008-0455 is an example of this kind of error. The machine- 
readable version informjL1ii.il fur rVR-2MS-045.'i is mil complete, therefore does 
nor alln.v an accurate e' alaali'.'n. . Viin-n.y .Ik- i:iis>in_L! . jisiuns arc v2.2.1, 
v2 . 0 . 11 -rhrongh- v2 . 0 . 27, vl.3.10, and vl , 3 . 11 . Overall, 
approximately 42 versions ndifalcd ;is mine lid,- In die description are excluded 
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This m,-thoil ,:ra:s mil miss ;i '. i:l;i,-i :Lhk- wismii miss.m'. hum a list of vulnerable 
versions within the CVE-2008-0455 entry. 



S..S.5 I'mliLaris «ith eonsistent granularity of component entries 

Qinipks -- l"l : i i-i.- s.sU'ii ^ a-. 1 "Ik-ii lui ik-.-i" iki' In "':np"-knil-. The 

Apache Sol'wai-f [■'oirnlaiioii umvntK ik'sijins lln- Apaehi HTTP Server in this 

manner. Amone llu- i-ii.'iilioii- i" "-i i a:./,:l ' !::.■ -;ii:v.aii' prok'cts is in 

sep ratecooc* ns. decouple dependencies, and promote software re-use. 

^^^I'pa mi l- * uki.-.-iihi i Mi's n:iy .i;:p,-:,r in :nr. l-.iiii ','i.l-ii: .11' a s .shall, an.: i: 
is important to consider lion :;i disclose I lie viilncrahilitv ivilh respect lo the de- 

>:oiii pone ills appear in a ■. ul:i:s-.Ll':li:' tiis, Insure. s:i:u:kl llu: entire composed 
system'? In praclini! lcn:is: 11 IvlK-r lur die WD 1.. |-..i hdh ldnal co'iipoacnls. or 

I' ll 1 paikail.- 01 " llkli I' ll' .■ ■ii.p an i- pal"' 1 I In--.' an- impO'Lin; L|UesliOns li: 

consider. .111 J allani.-M il .-r .n-iw- an .■■ 11-ide ol Ill,' -i:npo ..I ll i- Ill,' 

matching function requires mi'ornialioii L-nmained in the NVD CVE entries to 

TIk- NVH dc.s 1101 .iresen: e.msisl. 11 ee:i p, !■. 1:. naming Ivheeini enries. 
As an example. Apaehc Module vr,l:i.nah:li:ics ma> appear different ways: 



Because "I this ambiguity, rbe matching [unction needs :;i check foi Ihe 

nflllie of llH' Ii.l,- I'l-.'.r | v\ lu-n ^:;]|L-I]il]p tin- \Y[) 

.\..U> I'lullli'lll. II ill] TMl'iYillljlliiMl I mill III |1L1L-Ei :]<!!■. 

Mulching i:;r.i.'s is!' v.Mi'n: pid.nivs uilli Lluisc I'nuiid in Ihc NVD is 

entries in Ihc NVD. Tin- polity, "false pusiliii's hit (viler llun tiilse negatives" 
iillvnds 111 lilllil III. 1 lll.rilK'v ''I llllOclci'U'i M-lll'd'al'lc ^K:k;lgcS pie^lTll Oil II 
SViU-ill. I lilllilSlic^ ink- ill I.' |'-Olllic.' In' ^l' |li i-,e li ■. .--^ L-rulhli- iliri^L-lli |I£ I'll ilLli.vl 
In ::i-l. '.-. i linn.- il:'.ri,- ill;i:d-|.'v :lr.l ,'pi's.' Ili.hl.T iiil.i -|.il."lli.!lh. MlliHr.'lh:,' 
|1'c'mii'.l^ i.i I'lirlher semtiny. 

l-.ii'.phying :h,- :.- h,T::KliLs. i:i.!:diiii;: Ivauivs ::ii crciMj it' c.vimiiiiiii' 
Lfif vyslcin package Li> illw.a-lhc canonical name. Tl'.c iiil'lkull pan ill' mulching 
is Ihe successfully mapping of <yilci!i packages and C'VE entries 10 their 
canonical kinn. On"- lln-. U n.x""ipli- .1. i ial' liiiig is trivial. 

Apache HTTP Sen'er ,T|j]>eaisi as either "Apache" or as the "Apache HTTP 
Server-. Since there is no "canonical form" for the Apaclie HTTP Server, Ihe 
maidiinu fniicii.iii mils: ^caich Iwu lim^ mie for ".-.]-, .l.-l-.e" and one for 
"Apache HTTP Server" (Table 9). 
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LOinpuscd uf a ■hisc" nanc. olkai llih '• similar >ii a "<aiiorjir;al name", and 
' a ■ I ' ' . I " '.''.'I'pli,, 1 , ' .'I.." ' ' ail ..II, .■• .1,1,-1 II : I nari,\ ;il;,ai -.-parai.d 
by dadici. RxLimpks. <::' Ihc^i: name, arc .i|-..-.::':i^-:"::aiaioi"„ libapache, 
apache-util?!. On (,ccasiiir,. sysk-m p:\cka;c names do mil contain ilmliis bill 
the adjcclivcs arc embedded within Ihc package name, e.g. libapactie, 
libssl, and 1 ibrip::cj j. System packiigf names dial contain adjective* 
cannot match wiih XV 0 .mines a< (.'VI, product names -iiddr-n-, contain adjectives. 
An (mammal inn ol rlv package naaic- cnnlairied ,,n a nehiandiased iV'leni 
reveals many common adjectives (Table 10). 
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name. The match fundi™ ancm|ys in do si! nni] I lien tries ti) match againsl CVF. 
entries (Ta bits 11, 12), 

System Name Successlul Match Vulnerability 



System Name S.ccessL Match Vul-eiabiiily 




Ari'lhcr .sso,' w 1-1 nv.llelliii'i packa'-.' r.in.-- 'A .111 \V[> l- II I li ^.^ occurs 
when the two name- a.-c sisir.ificanllY different and do not contain similar base 
names. An approach to discover Ihc canonical name of a package involves 
examining Ihc package itself Like oilier packf.ee files. Dchian package tiles 
I. deli', contain nicladal.; Llc-.sii'i-iii^ .he I'hai. pncLiec. The oackjge tool apl- 
cticlic presents Ihe nicladjla coMlaiiied hi Ihe Apache 2.:i I ITfP Server as: 
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Nevertheless, the name "avi£ile" is likely 10 appear in a CVE enDy 

■ Slmihl" iii^ililIliLm : : el,: !Ui:J .Kes i. l lIiii lL;-|1 -v^i.I:s. l i. h llk j Ike same ;is iIk 1 
il.ii.'-liw .L'i.:ii |'i:Mli"-i. Hi-.' 1 ! i i.'l.ulniii |."..d .lUii'ri 

■iiiipi i-iin^ and jii.'^pLX-i.xi names t Tabic 13K 



3.3.3.? Kucm-sivr lookups 

Aftej- attempting to find a maieh between Hie system name and a NVD 
name, die niatchiiiy hiiKliiin :LI:,iii|'-^ i.i liinl niiilehi' h\ .■.leuiMvely applying 
linid-.iL'lii-ns. M:-,ic:i.iis> unv ~yMn |i:.efc.!:V= is nel pr^il-.,- wiu.ini si-.vml 
applied pmduclimis tTahle 14). 
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majority of name serving machines on the Intel-nil 111 uses it. BIND also has 
experienced a number of vulnerabilities; l he NVD contains 42 CVE entries thai 
explicitly name BIND vulnerabilities between 1999 and 2008. The most recent 
CVE-2008-0122 published January ]5 0 ' 2008. 

hieiiiT 13 ■ 1 1 .i-^-.i I iw- ■■■kn n.r.ihL Lie UIV> p.Akj.j.- 

from Linux sssuati-. I. M.tkhine HIM1 -•s;. , ir ii.nie' .tini ot (Kulr divettls-: 
normalization til' la,- names an. si oeein I'iisi. lii'lh III,- i|-.:ji>i zelease numbers " 
and "9-0"and Ihe adjectives "". : t:: :: and "liost" need removal before "BIND" 
will match. Once nonnalized. three system packages are vulnerable. 2) Sii 
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J.J.3.S Two additional mulching heuristics 

Olk'ii j CVE n. : .r.o- ■ calry Lilnlair]' ^evcial .'vnls. or ocn 

:i ik^Tipli.'n |-i::imi.-.L l.y In Midi l;i-.m ilv |iic'-.j;'.- ii:im.-. "hid": wc:. -: 

matdi [Ik 1 linak "mil - 1 1 1 ■ I -■ Liu- iks.-i::li":i. [■'..■!. llv. 1 word "Linux" cannot 
match <prod name= "Enterprise Linux"; however the single word 
"Linux" flora [he CVL" can tiu rinklK'ii ku-i Lo Ijii.- svslfiu name. Similarly. (Ik 
system name "libwpd" with <prod narDe=" libwpd library">. The 
inakli iuiiL-lioii ail. L -n|'l- ::i i.iauli .ml Ii ■..nul -...mi.: in III. 1 <.'VL --prod ndiae=" 
" ■ .virli paikiye Ik-ilk 1 1 1 1 l l sv s.jii: . " [" I . i s jk'niislk- name is a "reverse" 

S i r i : i ki 1 1 > . shibik iilmiI l-v-n «:iliin Ike CVLi <;;rod name=" "> 
entry may be matdicil 'iilk a:i' "unl ikri'vil hvm lilt Maleh Fantlion 
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ich in turn is contained in <prod name="Fx Magic Music"> This 
Kli function heuristic name is a "any" match. 

Uthougi Ihese two match a% heuristics do irodnce addil odq matches, 
ijiul l\ nlTI'.civ matd'.cs is very piw. 'I hcv piL-dncc ;i liciviidniii qua/Hill pi' 
ic positives, and the correct instills ttc\ p.-oskiLV arc Bcncrallv duplicates of 
cr l:caris:ic pivdiilnins. l',;.\-,a^c is-mes Llial .iail,-i:i :he adjectives tilo'. 
Lnux\ L ftp', or 'telnet', arc pailkiiLoA :ai:hlci:iaLk\ llicv arc quite 
nmon in the NVD. The ilrinii ':ile' ecu occurs in liulii lilt svslcrn and lilt 



65 




(VI 



Iinen-ini i h. L. hie .:,eh -ne.v"ii iiill.Ti ••iih Lie hemi-lie ranie 

ITilt piiHiuced I'll L- iv.tlcll h: IT- Wii>. ill.' Levi- jlie' id. 1 iill;liillillinn I'm it.illlei 

The pnlicy ,ii I J-i iz mulch imiction is to LLi^CLi^iii- mulches between :i 
system's package nair.es and NVI) cnlncs. iii.tl wl'.cn Ihcrc iiiT uncertain results, 
m fail by generating I'uisc i ^5 L i u s . The various prod Lilians, miilliplieil by the 
iiilciiLi'iiial proda-Lim: .il iiii.-.-riii i: result- .1- p> ■ .c-. il.: ercaic tl.ipl icuLf r-jsiilrs. 

Tilt miildiinu lunelien "lieu idi.-ilile- ■-■•i.-:il Ties .■■i'iTC-|Hindine in on- 1 
■ uh.ciiihilu TIT- i- inl.-iiti..-iil' :.• the lmiltk'-| ..| tie i iiliic:.Ll:ilil> i- 

mikn.-mn and il-.'i.T', I p.ieiii ' , i l i. i ell., i.-..: i.eiicmtiOh. OlTi'ri. as in 
the. case of a recent e?.f;, vulnerability. rVF.-2llOT 5-W7. many related packages 



3.3.5 I'lic prnlilcin (ilikltetiiiitdimM-lrv idleraliini 

< Ipeil .Soiree Sei'hAaie. ■. ;h- m . la- :■. I I -SI'. . ' .I'i'Mnv licenses Ihai 

permit the modification ol" packages. rhe license, along with the availability of 



software experiences ehi.r.ees il l ii'.' i- Tr de-el. piiem -..ii.-.rn inehidiu^ chaiiiies 
by the end-user. This poses .ukllimiiil iiiLibhmis lo determine, il' vulnerable 
software exists on ,i system uship the WD T he sol us ate name and version found 

in the NVI1 is hkel. I'm n Tie lie 1.1 ..I Tie d. seh'pi I, nl 1.1 Toes mil n it. el 
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lac myriad ol clinou.^ il.- i •ii.'iin- ■." hi- mil;. Iiii' made, '["his i BtLi<? is Hie 
Same :ii tile lianu- an:: , .■! Mi.ilL'l ill; ■ : 1 1 : 1 1 1 ■. ■ I ■ I - . . . 1 1 in Svctirm .'-2-2 

I "1 1 1 -i .k:v,i:M:",':ini .ik.'r.uioil .1 II..' I II.- I lalchi:!!' "a I. :.■ I 

lias accurately matched a syslcm name v.! Ill :i t'VP. cnlrv. and has determined that 
Lhc system version is less Ilinr. nr canal to Llic greatest vulnerable version in Ihc 
CVE. Surprisingly it is very likely 1:1:5 ma:chcd package is Mill not vulnerable. 
This lias caused muck ■.■'i:li.-!":i :'or IT acr-onac! allcmp::i:g 10 delccl vulnerable 
OSS soflware. 

The root of the confusion is thai L'VL entries contain versions 34 listed ai 

tile head hi" tile dowdopai.a 1 '1 1. I In- stil:sis|o.ai: : I. i'A "i-n ea:l i a It:' illations a:.' 

not uppareiit 111 the l.'Vk. anil v. il i;i ecu. i::i:- : I. -.- all.- 1:11 inn v com paring 

vcision iiu't'rcial ion is :vonhle'S. 

Section 3.2.2.2 describes Ike 11: meal inn til" system version information 
after Ihc upstream version. Tin? must occur to enable a comparison wilh lhc 

\V1>. "1111:1111 ie!\. lac iiil:irma.:ou adci.al alter lac ii|Mreain s\stcnt .ersioji 

represents : .in::ur:anl allcrc.lior.s Ilia: alt'celcc" lhc aackagc iaciudioy the 
l'ac-.[iorli"ic 1:" -..toil. pa:.!!. 1 ', Tnhle 3 sliov.s .,a^i.:-is ol several L'liuiro 

packa;:.'* and Ikci :i 1: i.;u..l .0.11 a.- p ai. " la ..■ 11 a. ■ ■' signify liiolouild 

changes from the upstream version. 

Attheheadol'a ;level;ipmcnl stream 1 1'igiiri' fij. III.: project mainlaincr. 
producer release versions, and tlmvusl.-cam. varioas cr.lilics make changes to this 
version. These chances finJamculaky allcr Ike soil ware to sack a degree lhal il 
may no longer behave Ike same. Allcralioi:' may be lor many purposes. 1101 only 



i'i.'TI ilv lv Lil i'l :hc ■■ ■. i p ncii: ^livam .1 iMivam ■111. I Ik- 
hiicipi)i1i:i2 process eliminate- die vi:l:iLTiihilhy wiiii.i: ll'.c older "version", hul 
the older version will slik appeals :.i he " " ^- 1 . 1 :i ^ i-jli.-- I ■_■ ' " I" ciniTiiirisei] 10 Lire WD 
■■crsa'ii rc^irdlcss dial i I 111: lender r rmkniis die I'jrrlly code. 

The prnelicc ''I' ' l'.;. '-.|i"r. | >T ,1 -.cum i:v v. 1 ' icdi cc l ie Imi^- il-.- nl' 
patch 10 precede co'mi die lI.-^ -m i-i - 11 •ii.mii-. ;m .an do the work: 

however, il is OI'Il-i] the '.Mil k 11: i.l- -: 1 .1.1.: ..1: pa. -.a;!. ■ laara la-iv Till' work done 
Hi produce 111.' SLcliriij. : a',|- lv: 11- ,. la a |.. all •! ■ I i^-a.a ,0 111:! head Ol' Mil! 

developmeol stream. Thereafter, this fix becomes part of all future versions. 



"stable" versions ol' the soi'Hvarc. Tins talcs additional nork : us the stable 
v.Tjioiis nau riol he the same as la.' ii:dc at die hand ol development in lieu ol the 

1 1. .'•.Mi a slal: li:' . I I.'' aess IV 1 el :lcl. :■: 1 11:: la,' pa:ah ;;i a|';:K il 10 tl» J stalll.' 

sofrwjiie is one form ot "buck porting" Ihe security patch. 
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dowiiilraani pacing.: 111:111- icr :l'i<iiiri- 15). I'hrs,: ::ii:nil:ilions indicale if the 

syslcni version is vulnerable or i:' n hack rain has hccn applied, kcmovini' 
a an 0 la Lion, such us she.:, in Table .1 enables nin:cr:c:il comparison It! [hose in lhc 
WVD: huivcvcr. lhc rcsuih ec. coa:a:i: lahe p.'siliu-s. The package versions 
delcued as vulnerable I: 1 . Ll:is .iarpa:i-"-i :iu'. acu.UI. coiilaia applied hack- 
poi 1 l- lI secui itj patches. 

l.'rllli.al'-lv. J.I: :acl..u:,- ■ 1 .1 .l;k- a el laic. 1 ', lilt lhal h-1- a 

liislury of the package aiaiaiainei's work, inclu.lir.i; appliar! seeunly patches ' '. 
ach sic.ai:]. ::alch. ■.. hich ■ h ick pen. .1 a packaM.c :r :i ilaiacr to lis a hug or 

maldiiiiy I'.incliur. ear c:|u:.Lc 1:1:' :acseacc "I a CVi: 1 irnhcr .0 a havk- polled 1'i.v 



in lhc -lackaiic binary. Figure Id shim:. 
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rff 5 



.l.-l^i .nine il .1-1 ai'..K- • :'l lli- - I '.: i- I 'I' . I i.i.'l" i...'i': ..I lie i_l I "ni Malio'i 

['V Ihr? 'Villlrjr of llv -y-i.'ill. ..■ 1 1:. I I ill '. : Il -I 1 ■ :. .11.101 I -Il nviili'S 111 L- system. 

hide pen tie m analysis Ore modioli for • cr.l'i.jalion is to compare each non- 
nmaitivc result prodnoco by 1 1 1 u ma:ehini' In refill ai'ninsl the list of packages Ihe 
system ilsc If determine, lire v liberate. Of course, 'hi. i education is impractical 
if done "by hand" though Llii_- sysl'.'iiia'.ie c\auiinai.:ou "I eneli 'iilricrabilily and 
each NVD entry. 

In a\ nid litis iiiriiaLiie.il o. ■ i.- i:,ln ;i -]. -loin lomi : 1. 1. - .jet . apt- 

..■lil'calilln. I'll.' v. -loin Ion'- -iri|ik ..II.'.:; r [hole ir:J:Jo- .1. ilikilil. Ill,' 

update mirror, the tool ;ish.« .':/!''. compares I lie install;,] sys:cm packages to Ihe 



4. Results of testing the matching function 

patched Linm systems. The rcs'.als protlneetl by the matching function 
eoiisisLentl' :i:d..:ile..: : ' ■ I Z' ■ ii'.oic ' i:l:i.'i.ih:li'.:e^ .h:n: the tool c -p.r ? 
(Table 16). 



Matching Function 



Tn aiiupun' liiLSL IimU I'iiiiIil':-. iv-ulh I'm lln 1 ■..■in 2 ■':■(; S mi' -lum in 
Figure 17. Noil [In- iiM\hiii;j lui:.V''ii Lk-Li'i:s iit[ :h<: ■. Lil iK-r^bl-.- |'iiikii^< 
c.-lttl.-d by ik'li-i/vilr. ^■■•i- :il . .'■<■*. ■ri-l M". I'ml :lii][ c.-bs.-.Mri irr/.i-hyv. 

Sections 4 r l r l ;rKl 4.1 i.I,'-i:i il:,' . ui ii iii.i ii ;.i:, :I -:..|-. i.ii lln- l ieili': ill d'llnil. 
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4.1 Items [inly reported hy dchsc. jn 



2.6.19, as used h) Sei dip tj IS '1 m at mOoas,..,) 

CVE ZOOS 1066. However, this CVE is for the package "Smarty", not 
■■Cn-Iat.2" k: \VI' .l.i.I ^"iil'iiiin.l lv, .Ik- IVI'::ii: sixidr. 
Lkl. iMir. I '. i. This . L uxi:i:'ii:L\ :• .1:1 l- .v li 1 1 : | - 1 ^ .il' .1 o.i:n|H:silii:ii 
■.ss.k 1 siniilLir !■' III.: :ux Lk-Sk-ilu-; in SiTliim Ih.i h "'lilr.M. Ilk 1 

.-.,| i|,,^i;i.,r n..| |iiv,'nl T lk' N \" n (ll'i.'i i. slv l- ;kii:.-il[s Lll 'lI I:;. 

Ibe • j vulnerability, such :.- Ihe pai iage ;l .ii.i • '. would be pari ol 

CVB-2008-1066. Due [o Ihe stipulation thai the contents of the NVD 
;k-k:ininv n:livi;ihililv minis, mil ll'.c iirailir. I In- ivsull is ;i lalst- posiliw. 
li.-;'/;! jlcsi. Ilv null ddisL'tiin. vliid-. icli.-s ipc -:i VL-:uliir iiilin;n;ili(>:i. I'.js 
L-;invc11y liiiILmIl'iI I Li : i l Ik- |i.n:.;ii.- C rill lcr\2 is i-ulntTkbL'. 



Analysis: 

ilufLViikiil^s vulnui^ihiliri^-. In. lin Ii'mIij-i -.cr-iuil li.Liil.l ill [III NVD (Smion 
3.2.1.21: ihl'fcfuK. by lh.:w b.iuiKI irs I imil'< i ami £pgv rctcivc a vulnerable 



I. '■ I I ' ■ .■[!■. ■ I.. ■\. ['-.\ :n 



\l:il,-li ■ ■Liiiel^n lal.i: positii-L- 
]';:cI.:issl-s nmvidtii hi dip-: 



( ;■! Lext-dependeiu' ...> 

CVE-2Q0S-0I45 (Unspecified vulnerability in glob in PHP hcinrc 



. Cvi:-2[iOS-022(i i vmiiipk; imlTcr ovirilmii m vaSSI, 1-7.5 and 
earlier, as used in MySQL...) 
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Analysis: 

The CVE indicates Hie PI IP vulnerability is for all versions 

precedinj q specif version rhe tpstre version represented by the 

system is less than both 5.2.5 and 4.4.8. In addition, both CVE numbers 
are not within l lit patkas't ^l-aiii'L-Liiss. Tatrtl'nrt. hy llicsc hturi«:t> dit 
package? pur. kltdSy php4 arc vulnerable. 

The detculiun of lilt :nyiul i .u:t]aliilil\ is dm: In Iht 
dctoinpu.it ion i::'llit pjikatt ivj.mt. The N \D ii::imius :> CVE for a 

pmtatl nod tys;| ". I- .a .'i.:i.- s 10 ■•■.-sina il'vcii I 'it inaldi 

i'liritiinii Mill junnipi 10 oi-tnwr if ill,- (.VP: iHinilmi i- present in the 
tli:-.ii : :,- ii.r : i.- u |-. i ii .1 : ■■■■ . i: lln- f •■■ n i -i| ■■■ l.ic-i i- am loaiiii 
nr. Iht system. MySQL li::s multiple tempt ntalMia a 'I'slem: mysql- 
enmmon, mysql -ti-.tr. and mysql tlitr.l. A inaapir.L' htmttn Iht WD 
packaa: nan-.t ;;ml kit syMtm package iiair.t is nttiitd In rt.olvt this ::-lst 

^ '. " : M i ' a I 1 i l l -.'II l.l 't-|ii:-a. : .i- 

Package: 

Iibapache2-svn 1.4.2 

• CVE-200B-0005 nuod .pros y. Up in Apaclie 2.2.* before 2.2.7-dev, 

• CVE-200S-01?5 (Cross- si it. itnpline (XSi.) vulnerability in the 
mod_nt°o nation module ...) 

• CVE-2008-0456" (CRLF injection vulnerability in the mooLnegotiatton 
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Packages provided by nelpb 
JibnetpbmlO 



n Ihe readlmageData fundi' 



Analyse: 

i viiln.T-ihilil. k liir a I .,T<ii.-,* [m. L.linn -i lis- 
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I. |. .-. i,.\: iiLlp-.-ii vu lii.TiM.- 



fY Vidneiahility mi. rqiorlcd [fchsceaii 



■ rVE-:0OK ijft-O iTIn- ixkvodc icc.iri[vc [unction in 

iiKlmk/lil!l[invi]l. ; lvni:,i.!,\hpp in li.isk-: li.i : .v.l'l'.iaic i:y ; invm lu ii-iv 
0.12.1. as used in [VIlis.- IvI'oit 11.3 S..i and iuU.-i- products...) 



ntcd by Hit system is Iras than 0. 12 1. In ad 
within the package c hangdogs, riiciti'on 



vulnerability is unekur. :\Tliap< i: K bi.v.m-c I ic p.iekiti- libuiiTcnt'; is si'ui 

9. Virtual Packaee 
Analysis: 

"I he Match Kmc 1 io ii ivpnns 1v>n vulncraNo tnmpoiienls of the latest kt 
2.6.18 within Debisn F.tcli. The package lirmi-Lmage-2. 6-686 is a vim 
package 1 - 1 , not ivpiii lcd by and nol :x- ivpoL-|cd b\ :hc :n. 
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Malcn I-niicI-,.,! ia^-p.iMinv 
l':Lcka ; '.c' |iivvi(l,':l hi pylliinv 



f"VF. 200R 1721 ilnk-strsiaiialiKss ci- 
in Python 2.5.2 and earlier allows 
arbitrary...) 



Analysis: 

This i liluiTlbiliu i' I;" .ill ■. .-i .ii ii' ::i.-..-lI i-.a :i s:^iik: •'■ision. The 
upstream version represented by he system is ess man 1.5.2. In addition, 
llie CVE number is not wiilim ilu- packa?.' clrangdogs. Therefore, by 
llic^e hciirislk'' la.' pik'kiiycs py-hon, pytlion2 . 4, and 
python2. 4 -minimal are vulnerable. 

The packages py:':ioii-;;i.:ppo; r. ami py-lic.n-apt should not 

he i.'|'illlL:i ' i:l:l,-ial' I h.-' Iiaka VL -,- Ti.- ilviiil .! I i/al ii'.l ::i'i::1ul" 'HI' 

;kv,> n pc.i L I llvir aanv, ki n\i:ch v. ilh i-i l:i;m. a.lhv.ii'.li lliry arc my pan 
of the python package. 
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the vulnerabilities discovered in a folly palched system matched against NVD 
files between 2002 aod 2008 is in Table 17. Additional detailed analysis were not 
performed, bat is e\pct1i'd lv similar u> Ilia' ol'llii' de'.ails .il'fc "008 analysis. 




5. Conclusion 

Tins work iri'c-liiiak- Lie I 'i : I • .'I jsin;! .1 ■■ ciidi:"-iiidc::cndc-|L 
vulnerability data somw such as rk.- NVL1 to del ermine whether vulnerabilities 
esisl within fully patched and ' up-to-dale Open Source coinpiil^r ^y>leins. Thii 
method discovered ;i scl of • 11I1111 pack s lull.- patched iliMiis. A 
comparison ol" these result c\n:nincd their cnnlcnt verses two other result sets 
produced by independent Mils. Tliesc comparison: -cull sets used vendor specific 
data; one set by tlic Dcliijn tool clob j , and Hie oilier set In ilie package 

-i-l.-ii. .1' i.- ii|»kiv nviueei :: . .■■.■1,1- ..p-:niciL Milnei.L'n'ilics 

when analysed by eilher the matching Itinetion, or the vendor-specific tool 
debsec-ari. Then- lure. 1 i' :ai'siMc !■:■ •ic-iio-isaa:. 1 fie :ae.cu.e ■ ■! iii-|inUli.:d 
vulnerabilities in till I • updated swem. :ai:i iu.c il is a :':U ki-L". :u assume tin np-10- 

of the thesis wis partially successful, limited by inconsistencies and absence of 
critical inliu maliiin wilhin IheNVD. 

The IikiI -.r. produced lev. er :':.lsc -.isili' cs than the nicllnid used 
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toinixiriiip tile information TOnUirifd in [Ik- XVII and I'M! ill [I:.- [.latkafUi pi<j-enl 

Conversely, ilv ri!::k i i--: 'ar.. n.'i ,'. :r. ;ihl. i... f. \\\ .: I I,- lakncy ivtuiirr.-l 
III gcncrak I hi: .:o.|-|.-.in '.peeiHe \ "I h-.- Uriel IV r'anelmr il.kekil 

vulnerabilities in Ihc svslc:n impossible lo dckvl by rkibsccan due to the 
Dcbian Security Tuiini ItiiiiiL'. ml llniio.'i] I he anab-:. of Ihc CVE entry. 

Tli: inloiikalion nrcsenk.l in liii- ilk-si. iin i'iiK r-.-pi ..■senL a p il- L Sv.- 
snapshot in [ime. All ol Ilk 1 lIiil;-. .oli:i.cs relied sp":i venerate Ike analysis 
e\perieiKt iiaciiiae .lia-|!ies. .•Iii.h ;.l"ee: llicir oalooiuc. Tlic NVLi dianges 
daily, new CVLi ciiln.:- a|i|'eai and esistui;: enliies modified, liil'omiatioii 

pio.l.k'.i li\ ilo II. - S.-l-i i-l -. I .■ I ..■ i l jii::.'- .I.i i :• . if ii. .1 t.vail.. M 1 1..1 

sites reflect ongoing updates and releases of Open Source packages wiiti new 



One great value (iniieN VII and Ilia [■¥!-. .■mriestliereiii. is lhat of 
ii«'rei\alii.n: ilh. -.kii. viilnc-iihiliH infiii-iiiation .t associated and a.-iiineil a 
eoiumon identifier lorcsobc .vniir. vinous tiala. i'hi. slandiikii/alion fkiliialc 
finnan communication, and aivalf. enable. [Ik i:il.ri | viability of automated 
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siifficieivlly stir.|>nrl 1 iilenlifieaiioa of .miliar,-, anl ciiiscqueiitlj the value of 
NVD suffers. Fu it Ik mm re. if users of the \"VD (In ni>1 accommodate these 
shortcoming.. I hi- 1 1 loo lac conclusion? ilrenn hum \ V 1 1 Jala also suffer. 

The L|i:csliiu: 111 is :aise.c:- is .inelhcr :uihlieslK aI|'."aii ' ulncr-malics 
c\is: uilliin fully unfiled OSS si stems. Indus mo [niicessol resolving iliis 
(|iu'Stion. man; issues nillihi the \V[tt-ccari:c Li|ma:vnt. These issues iscre 

>i.sjinl KiLlnl ciiouuli In hi ii it 111;- .■■ I.sli ■■ :, , I. i.-i ;if . iiln.-rahihly on 

npiTi So-.nc- .; -ion- •.iiii,-. ....■■ii i : ..i: . i'i.t iiiL-iii.l.-Ll into till' 

software nmtch u£ beuriBl us of 11 i . ■■■..■ I. thai increased Ihe prec -ion of if..' 
result. However, these accommodations tin nil represent a complete solution. 
Mulching soff.va.-e Icchmmics h:oca liaiile.l ahility lo rese.ve the tla:a issaes 



resolution. Ike NV1I - 1 1 li -. I a..-:l a iluls nuclei If.i: Tic'ilIcs llie :ik.uis lo itleatif' 
"This WOli l«5 noted ituilj illi!ileiiil i:is. in the Wll ulli le Jllrmpti II jj In 
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R™.ii[ii«iis ror the nvd 

The solution organization is in two categories: 

2: l(L-s(>kilii!i-i iiKinhijiMiis maichint ii I v.u'.erahL- OSS 

=.1.1 [(i'SDlulinnv lor I hi 1 N'\ II [■ini'i.lciiry problems 

I I '"■ |K- \VI 1 :.: 1 ilLlllV.kll.a:' " ILL" I"--.- J 

name it must reference di ferenl vulnerabilities ol the same software with the 
same name. As an e\aiii|.li- of currently Ihere an- '10 CVL entries with a product 
iijiii! of Apache" and i'J earner nitli llie product name of "Apache HTTP 
Server". Tliis is a prohlem o:'da1a nurmaa/aimn. and liic iolulion is to choose one 
name or the other. In this cnic. llie name "Apache HTTP Server" is more precise. 
NVD entries pun i.le lijiiik-d inliaiiinlif n ahiin! Ih.' idncrarA' M::'L'.iiirc 

i i-.l-I :'. \ il.'Mi i-li' :! i-.' ■■ . i " i - ..- 1" i ■ -■ I ..- - 'I c p -/l-.l-i im- I ■.- i' :i vh 

IVU-^liih.- llie • n ix ral'il ! ■ ..I ■ M v ! i .. i i i p"\'n nia' I v Ikiiu 111-. 1 wI'maK- 
vendor itself: 
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Ml'UViLlV L'nlilK'MlSlll iiil'kll'Il! IWll L-LISL'S lilll ill.C \k ll'SOlved lllLlUldl ilill.L 

nonnali/aiion. The laseol the names mvds also to he consistent; referring 10 the 
Gnu Compiler Col lecii mi as Mil "GCC" and "rite" I arses Ike uuesiion of whether 

lii iil.'nhly sol'iwav.'. ;Ivii ;l vioulil ;ii I.m-i eiir.^k iidy v.ilev lo -iii'iv, nil' with lln' 
some case. However, net -.isinj; case ,lii;ilh-\'.i die i;k-iiM it iilimi between software 
r.ames ih:ii ,ie:\n.i upi n ljm 1 . s-.i.|- : ^ di^Y.-mni' I he di:t.n\iees K'v.vceii Am 

I automated software hniiii LiH-l il ANT 'dc-klnp ISDN leknhony application! 

and therefore is rail a good idea. 

require Ike NVD entries !0 us;' a corisislci:! l aniiii? aiincmion Many temples 

-■ileaaic -I' L. ^ 1 1-.'. c..,:ip..i,.| I . I , •i l . ;i ... i-.- .■ , ;in. :;i i.vimi. 

ii.sl- L.vni'iiii.TK :• ii mi- ■ i, . I hi- iiiihi-jniii,'- en iviilk 111 ilv NVI >. 

Table IS lists some of the -^raiiulariry" inconsistencies within die names of such 




Server". The resoluliun for this issue is iMIhin Section 5.2.2 



vulnerable iol"tv.aiL. O.il oi'llicsi- piiililemi i.d.ir in the same sitlware entities 
bavins.. dilTcienl names ivi-hin tl i: T-jiu.il ,;o:naias. 'I'hu L'ood sample being Ilial Ihe 
name :'oi Liu- Apnelis 1 HTTP Sever is "-"p.v on Del'ian l.inn\ s. stems liiilI 
"liLLpd" on Red Hal Li mis systems. 

The problem ol mapping i aiinki name iyiujr.yras. originating from 
dilierenl doiunl as. ".i a -.i n^'v- ide-niler is the i-Mie llkk lie WD -.v lis erealed I' 1 
solve. This same snl uvea, applied a; lOl'lwji-f riann's. v. ill resiiKe many (if 11k 
tching 43 ics I i . wort uncovered. 



f sfirgL ] [ string; ] XS f^T) [ arlngN ] 
riKutt lKOnluluio tan h.l|' r.-.iUi iia m |.i- ems tine In di11"L-rt.-nl niiims 

A unique itiemiHer, called a Canonical Number <CN) allows unambiguous 
matches of case-sen si live names (Figure I8j. Adding the u umber CN-1234-5678 
loan Ant vulnerability to allow- Am :a.|loai:ik-d v.il'r.va:,- link] too]) to match, 
.vliilc 1:0: match ir.L' ki. 1 ii.auh.a- CN :i I 2.". 45'.7 lot ANT ■■ie-klup IS] IN telephony 

"■ i -. . - i " - . 1 1 1 - - 1 - - - ■ : . i i i l' I I.: ■ii; 1 vlf..nie h\ di Herein names. 
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The number CN-l7(i2-?f,7S can titer to noilr'af.soiis". "he cpd". and 
to "Apache HTTP Server" Wilh Ihe same result, names with adjectives 

upon which ill is cork relics. ' I i bnp.i.-f-.e-a.od-;^ i " (Debian name I. 
"mod_ssl" (project name) and"Hod_ssl" (NVD name) can all resolve to CN- 
2587-1750. 

The examples so far arc recii' f mulches hv human review. A 
canonical number iviil also nLlon mulch me :v.v. cer cmilics lliat would otherwise 
he in i-ialehaKc cci: :■• :■ lii.mai:. To.' .eric- i:.' I'. IN'! > '. i ln.'r..l" lilies sliov. n i i 
1 ii;niT I . J i 1 . |! i '.Ik' 'I :.i .isc |'a.l.:..ec I n.'".:i. ..Li Ic .iiii'la.le si\ iillcv 

■ " ail. | vi' i ■■ a "I i.' 1 1 1 "• 1 1 ■ ■ : i . ■ I. . . j i ' J i - 1 • - .,iv. il l i 1 1 ■ ■ - 1 ::ialiiai -■■•M-diai: 

l'i.' ..nii'i'iisili ' |\i. mi:.', I..' i .■■ i p. "i.'i :. ai-.l .!.- -i,'i'.l. -i,- ■.. i l a' lev. l.'.'l- 



'i-iichc i-i-. ■lIi.Ic :s "|i:-|- c:"' :n Ai'ache ir.af Inli.si This cealile:; die ma:e:i :o 
ever ■. ■ihic'ci lilies ■■' acre ■ii/eel iia:n.' iv.j.nhin^ will fail. 

Orml.Ms.-s r.'|)"esei:l l.lsll. dil.en'iil bodies 111 code IT..- s'.iii-i'.' so' 1.1 i. 1. 

neate the major i. fa-. . by giving them a produc e of their own, just as 

,-essive major releases of windows receives difterem curries. The NVD 
■cull y lias prorlacl enlries for Windows .V5 I . Windows 03. Windows 98, 
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Windows NT, Window s :or;y. Window s Ml:. Windows XI'. and Windows vista. 
Similarly, then' should 1 1. ,ri,-- 1: 'i I'l II' I. I'HI> s and tin- maior musses 

of Perl, and the Apache HTTP Server, elc. This will allow a specific major release 
10 mutch witlitHjl results I ron: other mil. or releases eon In sin;: the mulch instills 
and olher sets of versions. An maniple for PHP: 




I ..■ !,■ |': ■ -,i i ' '' ' 1 1 1 1 1. ' 1 1 1 1', I , ■., ■- ...11^ I :i ( A I |'| ■. ,,l 

errors as noted before jScrtinn .13.41. I Ins rcsiiluliiin follows Ihe nielhod in this 
work, which is to prcscn. only hie Insmes: '^n-. i'A n ' ■. ■ I n ■_■ :- :-■ I ■_■ version. In Ihis. way 
holli Llic dam sIv-iil- .1 i.l the ■."::ip..r: -.n: -■• :■ machine '..".'I will he sunnier 
and less prone us error. So I I v.- -Li e with major releases eun still sbjre the same 

Some of the responsibility for version ambiguities rests on the shoulders 
oi Ihe Distributions. The resolution of tins issue is the one used in this thesis. 
Debiau, for the mosl pan, is a good example of a Linux Distribution whose 
eha i^-.el.'sjs eciimin :n::el:i.i,- :c:i,:.: : \.- a.ir.eaiio !■. ivs seciiiis - |\, s. f lllier 

Linus Distributions ean repliealc Ihis esamplc ami I a ere hire haeh ported security 
palehes nil I he lisihlc us auloinaled tools. 
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